T1218.011 Sumo Logic CSE · Sumo

Detect Rundll32 in Sumo Logic CSE

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe avoids triggering security tools that allowlist it or ignore it due to high noise. Rundll32 can execute DLL payloads, Control Panel items (.cpl via Control_RunDLL), JavaScript (via mshtml,RunHTMLApplication), remote COM scriptlets, and system DLLs (zipfldr.dll, ieframe.dll). Adversaries may also export DLL functions by ordinal number or obscure function names by appending W/A character set suffixes. Widely used by InvisiMole, Latrodectus, FIN8, APT28, BoomBox, MegaCortex, QakBot, Emotet, Cobalt Strike, and many ransomware families.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.011 Rundll32
Canonical reference
https://attack.mitre.org/techniques/T1218/011/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*WinEvent* OR _sourceCategory=*Sysmon* OR _sourceCategory=*endpoint*
| where EventID in ("1", "4688")
| where toLowerCase(process_name) matches "*rundll32.exe*" or toLowerCase(command_line) matches "*rundll32*"
| eval javascript_exec = if(matches(toLowerCase(command_line), ".*javascript:.*") or matches(toLowerCase(command_line), ".*mshtml.*") or matches(toLowerCase(command_line), ".*runhtmlapplication.*"), 1, 0)
| eval remote_sct = if(matches(command_line, ".*https?://.*") or matches(toLowerCase(command_line), ".*getobject\\(.*"), 1, 0)
| eval minidump_flag = if(matches(toLowerCase(command_line), ".*minidump.*"), 1, 0)
| eval control_panel = if(matches(toLowerCase(command_line), ".*control_rundll.*") or matches(toLowerCase(command_line), ".*\.cpl.*"), 1, 0)
| eval suspicious_path = if(matches(toLowerCase(command_line), ".*(temp|appdata|downloads|public|desktop).*"), 1, 0)
| eval ordinal_load = if(matches(command_line, ".*,#[0-9]+.*"), 1, 0)
| eval office_parent = if(matches(toLowerCase(parent_process), ".*(winword|excel|outlook|powerpnt)\.exe.*"), 1, 0)
| eval script_parent = if(matches(toLowerCase(parent_process), ".*(cmd|powershell|wscript|cscript|mshta)\.exe.*"), 1, 0)
| eval risk_score = javascript_exec + remote_sct + minidump_flag + (suspicious_path * (office_parent + script_parent)) + ordinal_load + office_parent + script_parent
| where risk_score > 0
| fields _messagetime, host, user, process_name, command_line, parent_process, parent_command_line, javascript_exec, remote_sct, minidump_flag, control_panel, suspicious_path, ordinal_load, office_parent, script_parent, risk_score
| sort by risk_score desc, _messagetime desc
high severity medium confidence

Detects T1218.011 rundll32.exe proxy execution by enriching Windows process creation events (Sysmon EID 1 or Security EID 4688) with behavioral risk indicators including JavaScript execution via mshtml, remote SCT loading, LSASS MiniDump abuse, ordinal-based DLL invocation, and suspicious parent process chains. A composite risk score surfaces highest-priority alerts.

Data Sources

Sumo Logic Windows Event Log SourceSumo Logic Sysmon SourceSumo Logic Cloud SIEM (CSE) Windows normalized schema

Required Tables

_sourceCategory=*WinEvent*_sourceCategory=*Sysmon*

False Positives & Tuning

  • Enterprise endpoint management agents (e.g., Tanium, BigFix) that spawn rundll32.exe with shell32.dll or advpack.dll from PowerShell as part of patch management workflows
  • Legitimate use of ieframe.dll or zipfldr.dll by Windows Explorer processes for archive browsing or web content rendering, occasionally triggered from script-based automation
  • Developer toolchains that use mshta.exe or cscript.exe as build-step wrappers which subsequently call rundll32.exe with benign system DLLs
Download portable Sigma rule (.yml)

Other platforms for T1218.011

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rundll32 LSASS Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: powershell.exe then rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 10 (Process Access): rundll32.exe accessing lsass.exe. Sysmon Event ID 11: lsass.dmp file created in Temp. Windows Defender will likely block this on patched systems.

  2. Test 2Rundll32 JavaScript Execution via mshtml

    Expected signal: Sysmon Event ID 1: rundll32.exe with javascript: and mshtml in command line. If WScript.Shell successfully runs calc.exe, a child process creation event for calc.exe with ParentImage=rundll32.exe will appear.

  3. Test 3Rundll32 DLL Execution from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: rundll32.exe with ordinal (#1) and Temp path. Sysmon Event ID 7: DLL loaded by rundll32.exe. Security Event ID 4688.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1003.001LSASS MemoryT1059.007JavaScriptT1218.010Regsvr32T1218.002Control PanelT1546.015Component Object Model HijackingT1547.001Registry Run Keys / Startup Folder

Same Tactic: Defense Evasion

Popular Detections