Esc
Rundll32 - T1218.011
(ATT&CK® Technique)
Definition
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}
).
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1218011["Rundll32"] --> |invokes| CreateProcess["Create Process"]; class T1218011 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1218011 href "/offensive-technique/attack/T1218.011/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1218011["Rundll32"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1218011 OffensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; click T1218011 href "/offensive-technique/attack/T1218.011/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | may-detect | T1218011["Rundll32"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | may-detect | T1218011["Rundll32"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; DecoyFile["Decoy File"] --> | spoofs | SharedLibraryFile["Shared Library File"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1218011["Rundll32"] ; class DecoyFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | SharedLibraryFile["Shared Library File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1218011["Rundll32"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | SharedLibraryFile["Shared Library File"]; FileEviction["File Eviction"] -.-> | may-evict | T1218011["Rundll32"] ; class FileEviction DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; LocalFilePermissions["Local File Permissions"] --> | restricts | SharedLibraryFile["Shared Library File"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1218011["Rundll32"] ; class LocalFilePermissions DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableDenylisting["Executable Denylisting"] --> | filters | CreateProcess["Create Process"]; ExecutableDenylisting["Executable Denylisting"] -.-> | may-isolate | T1218011["Rundll32"] ; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | may-isolate | T1218011["Rundll32"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] --> | filters | CreateProcess["Create Process"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | may-isolate | T1218011["Rundll32"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | may-isolate | T1218011["Rundll32"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreFile["Restore File"] --> | restores | SharedLibraryFile["Shared Library File"]; RestoreFile["Restore File"] -.-> | may-restore | T1218011["Rundll32"] ; class RestoreFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; FileEncryption["File Encryption"] --> | encrypts | SharedLibraryFile["Shared Library File"]; FileEncryption["File Encryption"] -.-> | may-harden | T1218011["Rundll32"] ; class FileEncryption DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileAnalysis["File Analysis"] --> | analyzes | SharedLibraryFile["Shared Library File"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1218011["Rundll32"] ; class FileAnalysis DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | SharedLibraryFile["Shared Library File"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1218011["Rundll32"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";