Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Defense Evasion/ T1218.011

T1218.011Rundll32

T1218.011 — Rundll32 is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 26 detection use cases covering it and 5 threat-intel articles citing it.

Defense Evasion
View on the matrix → Filter Detection Library MITRE official spec ↗
26Use cases
5Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1218 · System Binary Proxy Execution

Use cases covering this technique (26)

Rundll32 Control RunDLL Hunt ESCU actions · hunting P Rundll32 Control RunDLL World Writable Directory ESCU actions · alerting P Rundll32 LockWorkStation ESCU actions · hunting P Rundll32 Process Creating Exe Dll Files ESCU actions · alerting P Rundll32 with no Command Line Arguments with Network ESCU actions · alerting P RunDLL Loading DLL By Ordinal ESCU actions · alerting P Suspicious IcedID Rundll32 Cmdline ESCU actions · alerting P Suspicious Rundll32 dllregisterserver ESCU actions · alerting P Suspicious Rundll32 no Command Line Arguments ESCU actions · alerting P Suspicious Rundll32 PluginInit ESCU actions · alerting P Suspicious Rundll32 StartW ESCU actions · alerting P Windows Application Whitelisting Bypass Attempt via Rundll32 ESCU actions · alerting P Windows LOLBAS Executed As Renamed File ESCU actions · alerting P Windows LOLBAS Executed Outside Expected Path ESCU actions · hunting P Windows Rundll32 Apply User Settings Changes ESCU actions · hunting P Windows Rundll32 Load DLL in Temp Dir ESCU actions · hunting P Windows Rundll32 with Non-Standard File Extension ESCU actions · hunting P Rundll32 DNSQuery ESCU actions · alerting P Detect Rundll32 Application Control Bypass - advpack ESCU actions · alerting P Detect Rundll32 Application Control Bypass - setupapi ESCU actions · alerting P Detect Rundll32 Application Control Bypass - syssetup ESCU actions · alerting P Suspicious Rundll32 Rename ESCU actions · hunting P [LLM] Kimsuky httpMalice persistence: 'Everything 1.9a-/1.8a-' Run-key or CacheDB service install Bespoke install · alerting DSPDD [LLM] Scavenger npm supply chain: rundll32 executing node-gyp.dll from node_modules (CVE-2025-54313) Bespoke install · alerting DSΣPDD [LLM] rundll32.exe spawned by Node/npm loading node-gyp.dll or crashreporter.dll (CVE-2025-54313) Bespoke install · alerting DSΣPDD [LLM] rundll32.exe loading node-gyp.dll dropped by Scavenger-infected npm postinstall (CVE-2025-54313) Bespoke install · alerting DSΣPDDCS

Articles citing this technique (5)

crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309
crit Another npm Supply Chain Attack: The 'is' Package Compromise art-554
crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654
crit Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware art-837