DET0475 Detection Strategy for T1218.011 Rundll32 Abuse

Item	Value
ID	DET0475
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1218.011 (Rundll32)

Analytics

Windows

AN1308

Detects rundll32.exe invoked with atypical arguments (.dll, .cpl, javascript:, mshtml). DLLs not normally loaded by rundll32 are mapped into memory. Control_RunDLL or RunHTMLApplication invoked. Suspicious DLLs or scripts accessed from disk or network. Rundll32 reaches out to external domains (e.g., fetching .sct or .hta).

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22

Mutable Elements

Field	Description
TimeWindow	Correlating rundll32 invocation with DLL load or network activity within X seconds.
ParentProcessFilter	Limit detection to suspicious parent processes (e.g., explorer.exe, office apps) vs. trusted installers.
AllowedDLLs	Baseline list of legitimate DLLs frequently executed by rundll32 in the environment.
ExternalIPRange	Scope of external IP ranges considered anomalous for rundll32 network connections.