📝 Overview
What it is: A native Windows executable that allows a user to run a function exported from a DLL file. It is a critical “Living off the Land” (LotL) binary used by both admins and attackers to execute code via trusted system processes. Target Phase: Execution / Persistence Operating System: Windows (Native)
⚙️ Core Capabilities
- DLL Execution: Can call specific functions inside a DLL without needing a dedicated wrapper program.
- Bypassing Controls: Often used to bypass AppLocker or other application control solutions that trust native Microsoft binaries.
- Control Panel Access: Many
.cplfiles (Control Panel items) are actually DLLs that are launched via rundll32.
💻 Common Commands
| Command | Description |
|---|---|
rundll32.exe [path_to_dll], [function_name] | Standard Execution: Runs the specified function within the DLL. |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";[code] | Advanced: Can be used to execute obfuscated JavaScript or VBScript. |
⚠️ Notes & Limitations
- Defense Evasion: Security analysts watch for
rundll32.exemaking network connections or spawning unusual child processes (likecmd.exe), as these are high-fidelity indicators of compromise.
🏷️ Tags
Tools CLItool WindowsNative Execution DefenseEvasion PenTestPlus #vulnerability services