Signed by Microsoft. Weaponized by Adversaries.
rundll32.exe is one of Windows’ most trusted utilities — which is precisely why attackers reach for it. A practitioner’s field guide to the abuse, the telemetry it leaves behind, and the detections.
Executive summary
– The binary is innocent; the instruction is the threat. Detection must focus on what rundll32 is told to load and do, not on the executable.
– Parentage and DLL provenance are your highest-fidelity signals. An Office application spawning rundll32, or rundll32 loading a DLL from a user-writable path, is almost never legitimate.
– rundll32 with no arguments is an injection tell. Legitimate invocations virtually always carry a DLL and an export; an empty command line is a classic spawn-and-inject pattern.
– It is also a credential-access tool. comsvcs.dll,MiniDump turns rundll32 into a signed LSASS dumper — watch for it explicitly.
– You cannot block the binary — so reduce the surface. Attack Surface Reduction’s “Office child process” rule severs the most common chain without breaking Windows.
What rundll32.exe was built to do
rundll32.exe exists for one reason: to run a function that lives inside a DLL, without that DLL needing its own executable.
DLLs export functions. Most are meant to be called by programs that link against them. But Windows ships a small generic host — rundll32 — whose entire job is to load a named DLL, locate a named export, and call it. That is how Control Panel applets, legacy installers, and countless system tasks launch UI and run setup logic. The canonical syntax is deceptively simple:
The anatomy of an abuse
A single observed command line carries the entire story — a trusted launcher, an attacker payload, an entry point, and the intent encoded in its argument:
Why attackers love it
This is the essence of Living off the Land — abusing pre-installed, trusted tooling (LOLBins) instead of dropping a novel executable. Every property that makes rundll32 safe to ship makes it valuable to abuse:
The trade is straightforward: the adversary gives up a custom dropper and gains a signed, trusted, ubiquitous launcher that legacy controls wave through. Detection therefore cannot live at the file layer. It has to live in behavior — lineage, provenance, and intent.
A representative kill chain
The most common shape this abuse takes in the wild: a phishing lure leads to a macro or exploit that quietly hands execution to rundll32, which loads the real payload and calls home.
The technique stack
rundll32 abuse is rarely a single technique — it is connective tissue threading through delivery, evasion, credential access, and command-and-control. Mapping the full stack keeps detections honest and coverage measurable.
The one-liners worth knowing — as a defender
These invocation patterns are publicly catalogued (notably in the LOLBAS project) and appear repeatedly across commodity and targeted intrusions. Recognize them on sight in your command-line telemetry. They are listed as detection references — what to hunt for — not as a how-to.
Deployable detections
Production-oriented starting points for Microsoft Defender / Sentinel Advanced Hunting (KQL) and a portable Sigma rule. They are severity-gated and written to be tuned against your environment’s baseline, not dropped in blind.
Benign baseline vs. suspicious signal
rundll32 is one of the noisiest legitimate processes on Windows — it runs dozens of times an hour on a normal workstation. A detection that flags rundll32 itself will drown your analysts. The discriminators below separate routine telemetry from a real lead.
None of these is a verdict alone — a signed vendor DLL in ProgramData is common. Fidelity comes from stacking them: an Office parent and a user-writable DLL and outbound egress is no longer a coincidence.
The investigation workflow
A defensible triage path keeps the response evidence-led and auditable — exactly what holds up in a post-incident review or a governance conversation.
01 Reconstruct the process tree. Walk parent and child of the rundll32 instance. The lineage answers the first question: user-initiated, or proxied through a document?
02 Pull the full command line. Identify the DLL, the export (or ordinal), and any arguments. The argument field is where intent — a C2 URL, a stage, a key — usually lives.
03 Establish DLL provenance. Where did it load from, and is it signed? A user-writable, unsigned DLL is the pivot from “anomaly” to “incident.”
04 Check the hash reputation. Submit the DLL hash to your intel sources. Absence of reputation is itself meaningful for a freshly-staged payload.
05 Review DeviceNetworkEvents. Correlate any outbound connections from the rundll32 PID. Resolve domains, check cadence, extract C2 indicators.
06 Hunt enterprise-wide. Pivot on the DLL name, hash, command-line pattern, and any C2 indicator across all endpoints to scope blast radius.
07 Isolate and preserve. Network-contain the host, capture volatile memory and staged artifacts before cleanup, and document the timeline.
Prevention that doesn’t break Windows
You cannot allowlist rundll32 away — Windows depends on it. So prevention targets the chain and the provenance, not the binary.
Modern intrusions abuse trusted binaries precisely to blend in — to convert your own allowlists, signatures, and reputation systems into cover. When the executable is innocent and the instruction is the weapon, file-centric defense has nothing left to grip. Behavior — lineage, provenance, and intent — is the new perimeter, and it is the one an adversary cannot sign their way past.