T1218.011 Splunk · SPL

Detect Rundll32 in Splunk

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe avoids triggering security tools that allowlist it or ignore it due to high noise. Rundll32 can execute DLL payloads, Control Panel items (.cpl via Control_RunDLL), JavaScript (via mshtml,RunHTMLApplication), remote COM scriptlets, and system DLLs (zipfldr.dll, ieframe.dll). Adversaries may also export DLL functions by ordinal number or obscure function names by appending W/A character set suffixes. Widely used by InvisiMole, Latrodectus, FIN8, APT28, BoomBox, MegaCortex, QakBot, Emotet, Cobalt Strike, and many ransomware families.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.011 Rundll32
Canonical reference
https://attack.mitre.org/techniques/T1218/011/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\rundll32.exe" OR ParentImage="*\\rundll32.exe")
| eval JavaScriptExec=if(match(CommandLine, "(javascript:|mshtml|RunHTMLApplication)"), 1, 0)
| eval RemoteSCT=if(match(CommandLine, "(http[s]?://|GetObject\()"), 1, 0)
| eval MiniDump=if(match(CommandLine, "MiniDump"), 1, 0)
| eval ControlPanel=if(match(CommandLine, "(Control_RunDLL|\.cpl)"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|Desktop)"), 1, 0)
| eval OrdinalLoad=if(match(CommandLine, ",#[0-9]+"), 1, 0)
| eval OfficeParent=if(match(ParentImage, "(winword|excel|outlook|powerpnt)\.exe"), 1, 0)
| eval ScriptParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta)\.exe"), 1, 0)
| eval SuspiciousChild=if((ParentImage="*\\rundll32.exe") AND match(Image, "(cmd|powershell|wscript|cscript|net|certutil)\.exe"), 1, 0)
| eval RiskScore=JavaScriptExec + RemoteSCT + MiniDump + (SuspiciousPath * (OfficeParent + ScriptParent)) + OrdinalLoad + OfficeParent + SuspiciousChild
| where RiskScore > 0 OR SuspiciousChild=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, JavaScriptExec, RemoteSCT, MiniDump, ControlPanel, SuspiciousPath, OrdinalLoad, OfficeParent, ScriptParent, SuspiciousChild, RiskScore
| sort - _time
high severity medium confidence

Detects rundll32.exe abuse using Sysmon Event ID 1. JavaScript execution, remote SCT loading, and MiniDump (LSASS dump) score unconditionally as these are high-confidence indicators. Suspicious path only scores when combined with Office or scripting parents. Ordinal-based loading and child processes are additional risk indicators.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate software using rundll32.exe to load and execute DLL functions from Program Files
  • Windows system functions using rundll32.exe for Control Panel applets and shell extensions
  • Software deployment tools using rundll32.exe to trigger installation DLL entry points
  • Security tools and EDR agents using rundll32.exe as part of their mechanisms
Download portable Sigma rule (.yml)

Other platforms for T1218.011

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rundll32 LSASS Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: powershell.exe then rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 10 (Process Access): rundll32.exe accessing lsass.exe. Sysmon Event ID 11: lsass.dmp file created in Temp. Windows Defender will likely block this on patched systems.

  2. Test 2Rundll32 JavaScript Execution via mshtml

    Expected signal: Sysmon Event ID 1: rundll32.exe with javascript: and mshtml in command line. If WScript.Shell successfully runs calc.exe, a child process creation event for calc.exe with ParentImage=rundll32.exe will appear.

  3. Test 3Rundll32 DLL Execution from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: rundll32.exe with ordinal (#1) and Temp path. Sysmon Event ID 7: DLL loaded by rundll32.exe. Security Event ID 4688.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1003.001LSASS MemoryT1059.007JavaScriptT1218.010Regsvr32T1218.002Control PanelT1546.015Component Object Model HijackingT1547.001Registry Run Keys / Startup Folder

Same Tactic: Defense Evasion

Popular Detections