Adversaries may use Rundll32 to execute malicious payloads through signed binaries or scripts, leveraging its commonality to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential proxy execution tactics used in advanced persistent threats.
KQL Query
imProcessCreate
| where Process has "rundll32.exe"
// Uncomment the next line and add your commandLine Whitelisted/ignore terms.For example "payload.dll"
// | where CommandLine !contains ("payload.dll")
| extend HostCustomEntity = Dvc, AccountCustomEntity = User
id: 365a889c-ae0f-461d-bdf1-d6ce11d0ef6f
name: Rundll32 (LOLBins and LOLScripts, Normalized Process Events)
description: |
'This detection uses Normalized Process Events to hunt Signed Binary Proxy Execution: Rundll32 activities'
requiredDataConnectors: []
tactics:
- DefenseEvasion
relevantTechniques:
- T1218.011
query: |
imProcessCreate
| where Process has "rundll32.exe"
// Uncomment the next line and add your commandLine Whitelisted/ignore terms.For example "payload.dll"
// | where CommandLine !contains ("payload.dll")
| extend HostCustomEntity = Dvc, AccountCustomEntity = User
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: Scheduled Task Running Rundll32 for System Maintenance
Description: A legitimate scheduled task uses rundll32.exe to execute a system cleanup tool like CCleaner or Disk Cleanup.
Filter/Exclusion: Exclude processes where the command line includes known legitimate tools (e.g., ccleaner.exe, cleanmgr.exe) or where the task is managed by the system scheduler (Task Scheduler).
Scenario: Admin Using Rundll32 to Launch a Script for Patching
Description: An administrator uses rundll32.exe to execute a script for applying a software update, such as a Windows Update or third-party patch.
Filter/Exclusion: Exclude processes where the command line includes a script path that is known to be part of a patching process (e.g., C:\Windows\System32\WindowsUpdate.exe or C:\Program Files\UpdateAgent\patchscript.bat).
Scenario: Rundll32 Used by a Trusted Third-Party Application
Description: A trusted enterprise application (e.g., Adobe Acrobat, Microsoft Office, or Java Runtime) uses rundll32.exe to load a DLL for functionality.
Filter/Exclusion: Exclude processes where the parent process is a known trusted application or where the DLL path is within the application’s installation directory.
Scenario: Rundll32 Invoked by a Service for Configuration Management
Description: A service (e.g., SCOM, System Center, or Ansible) uses rundll32.exe to execute a configuration script or registry update.
Filter/Exclusion: Exclude processes where the parent process is a known configuration management tool or where the command line includes a script associated with a service (e