From enterprise
Jump to: navigation, search
ID T1085
Tactic Defense Evasion, Execution
Platform Windows
Permissions Required User
Data Sources File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Supports Remote No
Defense Bypassed Anti-virus, Application whitelisting
Contributors Ricardo Dias

The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.

Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.1


  • APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”.2 APT28 also executed a .dll for a first stage dropper using rundll32.exe.3
  • APT3 has a tool that can run DLLs.4
  • Carbanak installs VNC server software that executes through rundll32.5
  • CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.6
  • ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.3
  • CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."7
  • The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.8
  • After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.9
  • Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.10
  • Rundll32.exe is used as a way of executing Flame at the command-line.11
  • JHUHUGIT is executed using rundll32.exe.12
  • Matroyshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.13
  • PowerDuke uses rundll32.exe to load.14
  • Prikormka uses rundll32.exe to load its DLL.15
  • Pteranodon executes functions using rundll32.exe.16
  • RTM runs its core DLL file using rundll32.exe.17
  • Sakula calls cmd.exe to run various DLL files via rundll32.18
  • StreamEx uses rundll32 to call an exported function.19
  • The Winnti installer loads a DLL using rundll32.20


Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass whitelisting.21


Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.