Proc_creation_win_bad_opsec_sacrificial_processes.ymlĭescription : ' Detects attackers using tooling with bad opsec defaults e.g. ' process call create "rundll32 c:\windows' Proc_creation_win_apt_lazarus_activity_apr21.yml Proc_creation_win_apt_equationgroup_dll_u_load.yml SourceImage : ' C:\Windows\System32\rundll32.exe' Proc_access_win_lsass_dump_comsvcs_dll.ymlĭescription : Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. Posh_ps_invoke_obfuscation_via_use_rundll32.yml Posh_ps_invoke_obfuscation_via_rundll.yml Posh_pm_invoke_obfuscation_via_use_rundll32.yml Posh_pm_invoke_obfuscation_via_rundll.yml Net_connection_win_rundll32_net_connections.ymlĭescription : Detects a rundll32 that communicates with public IP addresses Image_load_suspicious_dbghelp_dbgcore_load.yml Image : ' C:\Windows\System32\rundll32.exe' Image_load_mimikatz_inmemory_detection.yml rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent processįile_event_win_win_shell_write_susp_directory.yml Title : PowerShell Rundll32 Remote Thread Creationĭescription : Detects PowerShell remote thread creation in Rundll32.exeĭriver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml Win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml Win_invoke_obfuscation_via_use_rundll32_services.yml Win_invoke_obfuscation_via_rundll_services.yml # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn Win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml Title : Invoke-Obfuscation Via Use Rundll32ĭescription : Detects Obfuscated Powershell via use Rundll32 in Scripts Win_invoke_obfuscation_via_use_rundll32_services_security.yml Win_invoke_obfuscation_via_rundll_services_security.yml While rundll32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes. The following table contains possible examples of rundll32.exe being misused.
Product Name: Microsoft Windows Operating System.For more information about running scripts and setting execution policy, see about_Execution_Policies at
You cannot run this script on the current system. Status: The file C:\windows\SysWOW64\rundll32.exe is not digitally signed.File Path: C:\windows\SysWOW64\rundll32.exe.