Detection rules › Splunk
Windows Rundll32 Load DLL in Temp Dir
This detection identifies instances where rundll32.exe is used to load a DLL from a temporary directory, such as C:\Users<User>\AppData\Local\Temp\ or C:\Windows\Temp. While rundll32.exe is a legitimate Windows utility used to execute functions exported from DLLs, its use to load libraries from temporary locations is highly suspicious. These directories are commonly used by malware and red team tools to stage payloads or execute code in-memory without writing it to more persistent locations. This behavior often indicates defense evasion, initial access, or privilege escalation, especially when the DLL is unsigned, recently written, or executed shortly after download. In normal user workflows, DLLs are not typically loaded from Temp paths, making this a high-fidelity indicator of potentially malicious activity. Monitoring this pattern is essential for detecting threats that attempt to blend in with native system processes while bypassing traditional application controls.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218.011 System Binary Proxy Execution: Rundll32 |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: tstats
tstats WHERE (Processes.original_file_name="RUNDLL32.EXE" OR Processes.process_name="rundll32.exe") Processes.process IN ("*\\tmp\\*", "*temp\\*") BY Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Processes.original_file_name | eq |
|
Processes.process | in |
|
Processes.process_name | eq |
|