rules/windows/defense-evasion/T1218.011_rundll32_suspicious.yml

34 lines · yaml

title: Suspicious Rundll32 Execution
id: c7b35acf-1122-4446-8d2d-95e7883f1064
status: experimental
description: >
  Detects rundll32.exe invoked in patterns associated with proxy execution of malicious
  code: no DLL argument, javascript: protocol handlers, or execution from user-writable paths.
references:
  - https://attack.mitre.org/techniques/T1218/011/
  - https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
author: Zion Boggan
date: 2026-05-13
tags:
  - attack.defense_evasion
  - attack.t1218.011
logsource:
  product: windows
  category: process_creation
detection:
  selection_img:
    Image|endswith: '\rundll32.exe'
  selection_patterns:
    CommandLine|contains:
      - 'javascript:'
      - 'mshtml,RunHTMLApplication'
      - '.dll,#1'
      - '\AppData\'
      - '\Temp\'
      - '\ProgramData\'
  selection_nodll:
    CommandLine|re: 'rundll32(\.exe)?["'']?\s*$'
  condition: selection_img and (selection_patterns or selection_nodll)
falsepositives:
  - Rare legitimate use; baseline expected DLL invocations.
level: high

1	title: Suspicious Rundll32 Execution
2	id: c7b35acf-1122-4446-8d2d-95e7883f1064
3	status: experimental
4	description: >
5	Detects rundll32.exe invoked in patterns associated with proxy execution of malicious
6	code: no DLL argument, javascript: protocol handlers, or execution from user-writable paths.
7	references:
8	- https://attack.mitre.org/techniques/T1218/011/
9	- https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
10	author: Zion Boggan
11	date: 2026-05-13
12	tags:
13	- attack.defense_evasion
14	- attack.t1218.011
15	logsource:
16	product: windows
17	category: process_creation
18	detection:
19	selection_img:
20	Image\|endswith: '\rundll32.exe'
21	selection_patterns:
22	CommandLine\|contains:
23	- 'javascript:'
24	- 'mshtml,RunHTMLApplication'
25	- '.dll,#1'
26	- '\AppData\'
27	- '\Temp\'
28	- '\ProgramData\'
29	selection_nodll:
30	CommandLine\|re: 'rundll32(\.exe)?["'']?\s*$'
31	condition: selection_img and (selection_patterns or selection_nodll)
32	falsepositives:
33	- Rare legitimate use; baseline expected DLL invocations.
34	level: high