T1218.011 Microsoft Sentinel · KQL

Detect Rundll32 in Microsoft Sentinel

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe avoids triggering security tools that allowlist it or ignore it due to high noise. Rundll32 can execute DLL payloads, Control Panel items (.cpl via Control_RunDLL), JavaScript (via mshtml,RunHTMLApplication), remote COM scriptlets, and system DLLs (zipfldr.dll, ieframe.dll). Adversaries may also export DLL functions by ordinal number or obscure function names by appending W/A character set suffixes. Widely used by InvisiMole, Latrodectus, FIN8, APT28, BoomBox, MegaCortex, QakBot, Emotet, Cobalt Strike, and many ransomware families.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.011 Rundll32
Canonical reference
https://attack.mitre.org/techniques/T1218/011/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousDLLs = dynamic(["zipfldr.dll", "ieframe.dll", "comsvcs.dll", "shell32.dll", "advpack.dll", "shdocvw.dll"]);
let SuspiciousFunctions = dynamic(["MiniDump", "Control_RunDLL", "RunHTMLApplication", "LaunchINFSection", "OpenURL"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rundll32.exe"
| extend JavaScriptExec = ProcessCommandLine has_any ("javascript:", "mshtml", "RunHTMLApplication")
| extend RemoteSCT = ProcessCommandLine has_any ("http://", "https://", "GetObject(")
| extend MiniDump = ProcessCommandLine has "MiniDump"
| extend ControlPanel = ProcessCommandLine has_any ("Control_RunDLL", ".cpl")
| extend SuspiciousFunc = ProcessCommandLine has_any (SuspiciousFunctions)
| extend SuspiciousPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "Desktop")
| extend OrdinalLoad = ProcessCommandLine matches regex @",#\d+"
| extend SuspiciousParent = InitiatingProcessFileName has_any ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where JavaScriptExec or RemoteSCT or MiniDump or (SuspiciousPath and SuspiciousParent) or SuspiciousParent
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, JavaScriptExec, RemoteSCT, MiniDump, ControlPanel,
         SuspiciousPath, OrdinalLoad, SuspiciousParent
| sort by Timestamp desc
high severity medium confidence

Detects rundll32.exe abuse across multiple attack patterns: JavaScript execution via mshtml (Poweliks), remote SCT/COM scriptlet loading, LSASS memory dump via comsvcs.dll MiniDump, Control Panel item execution, DLL loading from suspicious paths with scripting parents, and ordinal-based DLL function invocation. Covers ransomware, APT, and commodity malware patterns.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate software using rundll32.exe to load and execute DLL functions from Program Files, such as printer drivers, codec installers, and application extensions
  • Windows itself uses rundll32.exe for various system functions including Control Panel applets and shell extensions
  • Software deployment tools (SCCM) that use rundll32.exe to trigger installation DLL entry points
  • Security tools and EDR agents that may use rundll32.exe as part of their injection or hooking mechanisms
Download portable Sigma rule (.yml)

Other platforms for T1218.011

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rundll32 LSASS Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: powershell.exe then rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 10 (Process Access): rundll32.exe accessing lsass.exe. Sysmon Event ID 11: lsass.dmp file created in Temp. Windows Defender will likely block this on patched systems.

  2. Test 2Rundll32 JavaScript Execution via mshtml

    Expected signal: Sysmon Event ID 1: rundll32.exe with javascript: and mshtml in command line. If WScript.Shell successfully runs calc.exe, a child process creation event for calc.exe with ParentImage=rundll32.exe will appear.

  3. Test 3Rundll32 DLL Execution from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: rundll32.exe with ordinal (#1) and Temp path. Sysmon Event ID 7: DLL loaded by rundll32.exe. Security Event ID 4688.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1003.001LSASS MemoryT1059.007JavaScriptT1218.010Regsvr32T1218.002Control PanelT1546.015Component Object Model HijackingT1547.001Registry Run Keys / Startup Folder

Same Tactic: Defense Evasion

Popular Detections