Skip to content
Reverse Engineering
Living off the Landintermediate

Rundll32 Proxy Execution

Attackers abuse the signed Windows binary rundll32.exe to load malicious DLLs and execute exported functions, proxying code under a trusted process.

rundll32.exe is a signed, Microsoft-shipped utility whose legitimate purpose is to call functions exported from a DLL from the command line. Because it is trusted, ubiquitous, and frequently used by the OS itself, it is one of the most heavily abused Living-off-the-Land binaries (LOLBins). An analyst will encounter it as a proxy: the malicious code lives in a DLL (or even a remote scriptlet), but the process tree shows the signed rundll32.exe doing the work.

The technique lets an attacker execute arbitrary code without dropping their own executable, helping to bypass application allow-listing that trusts signed system binaries and to blend into normal Windows activity. Variants range from loading a local trojan DLL to invoking COM scriptlets that pull payloads over HTTP.

How it works

In its simplest form, an attacker calls a named export from a DLL on disk:

text
rundll32.exe C:\Users\Public\update.dll,StartW

rundll32 loads update.dll, resolves the StartW export (a common Cobalt Strike beacon entry point), and transfers execution to it. The export name can be anything, or an ordinal like #1.

A more evasive variant abuses the legacy javascript: / COM moniker handling to run inline script and reach out to the network, with no DLL on disk at all:

text
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";<script>...</script>

Here rundll32 is coaxed into loading mshtml.dll and running the embedded script through RunHTMLApplication — the same engine mshta.exe uses. Analysts should recognise the tell-tale mshtml,RunHTMLApplication fragment and the javascript: prefix as anomalous: legitimate rundll32 invocations name a concrete DLL and export, never an inline script URL.

Detection & analysis

Static analysis:

  • Inspect any DLL referenced on a rundll32 command line: check the export table for the named function and compare against benign system DLLs. Unsigned DLLs, exports with generic names (StartW, Start, DllRegisterServer), and DLLs in user-writable paths (%TEMP%, %APPDATA%, \Public\) are red flags.
  • Triage the command line itself with YARA/regex: presence of javascript:, mshtml, RunHTMLApplication, vbscript:, or url.dll,OpenURL strongly suggests abuse rather than a DLL/export call.

Dynamic analysis:

  • Run under Procmon/API Monitor and observe the LoadLibrary target and subsequent behaviour. Legitimate rundll32 rarely opens network sockets; a rundll32.exe making outbound HTTP/S connections is highly suspicious.
  • In a sandbox, watch the parent/child tree. Benign rundll32 is usually spawned by explorer.exe, svchost.exe, or control panel applets. Malicious instances are commonly spawned by Office apps (winword.exe, excel.exe), wscript.exe, powershell.exe, or cmd.exe, and often spawn further children.

Detection rule hint:

Alert on Sysmon Event ID 1 where Image ends with \rundll32.exe AND (the command line contains no .dll reference but does contain javascript:/mshtml/RunHTMLApplication, OR the loaded DLL resides in a user-writable directory, OR the parent process is an Office application or script host). Correlate with Event ID 3 (network connection) from the same rundll32 PID to catch C2 beaconing.

Votes

Comments(0)