title: Rundll32 (T1218.011)
id: df00tech-t1218-011
status: experimental
description: "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe avoids triggering security tools that allowlist it or ignore it due to high noise. Rundll32 can execute DLL payloads, Control Panel items (.cpl via Control_RunDLL), JavaScript (via mshtml,RunHTMLApplication), remote COM scriptlets, and system DLLs (zipfldr.dll, ieframe.dll). Adversaries may also export DLL functions by ordinal number or obscure function names by appending W/A character set suffixes. Widely used by InvisiMole, Latrodectus, FIN8, APT28, BoomBox, MegaCortex, QakBot, Emotet, Cobalt Strike, and many ransomware families."
references:
  - https://attack.mitre.org/techniques/T1218/011/
  - https://df00tech.com/detections/T1218.011
author: df00tech
date: 2026/04/19
tags:
  - attack.t1218.011
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software using rundll32.exe to load and execute DLL functions from Program Files, such as printer drivers, codec installers, and application extensions"
  - Windows itself uses rundll32.exe for various system functions including Control Panel applets and shell extensions
  - Software deployment tools (SCCM) that use rundll32.exe to trigger installation DLL entry points
  - Security tools and EDR agents that may use rundll32.exe as part of their injection or hooking mechanisms
level: high