Detect Rundll32 in IBM QRadar
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe avoids triggering security tools that allowlist it or ignore it due to high noise. Rundll32 can execute DLL payloads, Control Panel items (.cpl via Control_RunDLL), JavaScript (via mshtml,RunHTMLApplication), remote COM scriptlets, and system DLLs (zipfldr.dll, ieframe.dll). Adversaries may also export DLL functions by ordinal number or obscure function names by appending W/A character set suffixes. Widely used by InvisiMole, Latrodectus, FIN8, APT28, BoomBox, MegaCortex, QakBot, Emotet, Cobalt Strike, and many ransomware families.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.011 Rundll32
- Canonical reference
- https://attack.mitre.org/techniques/T1218/011/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"username",
"sourceip",
"Process Name" AS process_name,
"Command" AS command_line,
"Parent Process Name" AS parent_process,
CASE
WHEN LOWER("Command") MATCHES '(javascript:|mshtml|runhtmlapplication)' THEN 1 ELSE 0
END AS javascript_exec,
CASE
WHEN LOWER("Command") MATCHES '(https?://|getobject\()' THEN 1 ELSE 0
END AS remote_sct,
CASE
WHEN LOWER("Command") MATCHES 'minidump' THEN 1 ELSE 0
END AS minidump_flag,
CASE
WHEN LOWER("Command") MATCHES '(control_rundll|\.cpl)' THEN 1 ELSE 0
END AS control_panel,
CASE
WHEN LOWER("Command") MATCHES '(temp|appdata|downloads|public|desktop)' THEN 1 ELSE 0
END AS suspicious_path,
CASE
WHEN LOWER("Command") MATCHES ',#[0-9]+' THEN 1 ELSE 0
END AS ordinal_load,
CASE
WHEN LOWER("Parent Process Name") MATCHES '(winword|excel|outlook|powerpnt)\.exe' THEN 1 ELSE 0
END AS office_parent,
CASE
WHEN LOWER("Parent Process Name") MATCHES '(cmd|powershell|wscript|cscript|mshta)\.exe' THEN 1 ELSE 0
END AS script_parent
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND ("EventID" = 4688 OR "EventID" = 1)
AND (LOWER("Process Name") MATCHES '.*\\rundll32\.exe'
OR LOWER("Command") MATCHES '.*rundll32.*')
AND (
LOWER("Command") MATCHES '(javascript:|mshtml|runhtmlapplication)'
OR LOWER("Command") MATCHES '(https?://|getobject\()'
OR LOWER("Command") MATCHES 'minidump'
OR LOWER("Parent Process Name") MATCHES '(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)\.exe'
OR LOWER("Command") MATCHES ',#[0-9]+'
)
AND starttime > NOW() - 86400 SECONDS
ORDER BY starttime DESC
LIMIT 500Detects rundll32.exe proxy execution abuse using QRadar AQL by querying Windows Security Event 4688 (process creation) and Sysmon Event 1 for command-line patterns indicating JavaScript execution via mshtml, remote COM scriptlet loading, MiniDump credential dumping, ordinal-based loading, and execution from suspicious parent processes. Risk indicators are scored inline.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate antivirus or endpoint detection products that use rundll32.exe with system DLLs during scanning or remediation routines, especially via PowerShell parent processes
- Windows system maintenance tasks such as SFC or DISM wrappers that internally invoke rundll32.exe with shell32.dll functions from administrative cmd.exe sessions
- Software deployment pipelines (SCCM, Intune) that chain PowerShell or cmd.exe to rundll32.exe for MSI-related installation helper calls
Other platforms for T1218.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rundll32 LSASS Dump via comsvcs.dll MiniDump
Expected signal: Sysmon Event ID 1: powershell.exe then rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 10 (Process Access): rundll32.exe accessing lsass.exe. Sysmon Event ID 11: lsass.dmp file created in Temp. Windows Defender will likely block this on patched systems.
- Test 2Rundll32 JavaScript Execution via mshtml
Expected signal: Sysmon Event ID 1: rundll32.exe with javascript: and mshtml in command line. If WScript.Shell successfully runs calc.exe, a child process creation event for calc.exe with ParentImage=rundll32.exe will appear.
- Test 3Rundll32 DLL Execution from Temp Directory
Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: rundll32.exe with ordinal (#1) and Temp path. Sysmon Event ID 7: DLL loaded by rundll32.exe. Security Event ID 4688.
References (6)
- https://attack.mitre.org/techniques/T1218/011/
- https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
- https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md
- https://blog.f-secure.com/hunting-for-the-undefined-behavior-the-case-of-comsvcs-dll/
- https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security
Unlock Pro Content
Get the full detection package for T1218.011 including response playbook, investigation guide, and atomic red team tests.