Windows

Rundll32.exeRundll32.exe

Platform
Windows
Abuse functions
5
Mapped techniques
2

Description

Rundll32.exe is a Windows living-off-the-land binary catalogued by the LOLBAS Project. Documented abuse functions: Execute, ADS. Mapped ATT&CK techniques (per LOLBAS / GTFOBins → MITRE crosswalk): T1218, T1564.004. Defenders should monitor execution of Rundll32.exe under non-administrative or sudo contexts and alert when its arguments match the abuse-function signatures.

Abuse functions· 5

ExecuteT1218.011

Execute DLL file

ExecuteT1218.011

Execute DLL from SMB share.

ExecuteT1218.011

Execute code from Internet

Execute code from alternate data stream

ExecuteT1218.011

Execute a DLL/EXE COM server payload or ScriptletURL code.

MITRE ATT&CK techniques· 2

T1218.011T1564.004

Uses2

TypeTargetConfidenceTier
SubTechniqueRundll32t1218.011100%live
SubTechniqueNTFS File Attributest1564.004100%live

Abuses2

TypeTargetConfidenceTier
SubTechniqueNTFS File Attributest1564.00490%live
TechniqueSystem Binary Proxy Executiont121885%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

LOLbin
Shell32.dll
LOLbin
Regsvr32.exe
LOLbin
cmdl32.exe
LOLbin
Control.exe
LOLbin
Runonce.exe
LOLbin
Runexehelper.exe
Sourced from LOLBAS Project. Curated by Adam Lundqvist, SQUR.