CobaltStrike Load by Rundll32

Last updated on: March 10, 2026

In this page

About the rule
Rule journey
Rule Requirement
Detection
Future actions

Rule name	Rule type	Log sources	MITRE ATT&CK tags	Severity
CobaltStrike Load by Rundll32	Standard	Windows Security, Sysmon	Execution (T1218.011), Signed Binary Proxy Execution	High

About the rule

Rule Type

Standard

Rule Description

Detects instances where Cobalt Strike payloads are executed through rundll32.exe, a common living-off-the-land technique adversaries use to evade detection and establish persistence.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → DLL Load via Rundll32 → Command Execution via StartW → CobaltStrike Payload Execution

Impact

Allows stealthy execution of malicious payloads using legitimate system binaries, evading detection and bypassing application controls.

Rule Requirement

Prerequisites

Using Windows Event Viewer

Log in to a domain controller with domain admin credentials.
Open GPMC (gpmc.msc) and edit or create a GPO linked to the target OU.
Go to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking
- Enable Audit Process Creation (Success)
- Enable Audit Process Termination (Success)
Go to:
Computer Configuration > Administrative Templates > System > Audit Process Creation
- Enable Include command line in process creation events
Ensure registry key exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational

Using Sysmon

Download and install Sysmon.
Open Command Prompt as administrator.
Use a config file that monitors process creation.
Install Sysmon with the config file.
In the config, include <ProcessCreate onmatch="exclude"/> to capture all process creations.
Ensure registry key exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational

Criteria


                            Action1:
actionname = "Process started" AND (PROCESSNAME endswith "\rundll32.exe" OR ORIGINALFILENAME = "RUNDLL32.EXE" OR COMMANDLINE contains "rundll32.exe,rundll32 ") AND (COMMANDLINE contains ".dll" AND COMMANDLINE endswith " StartW,,StartW")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: System Binary Proxy Execution - Rundll32 (T1218.011)

Security Standards

M1050 – Exploit Protection (Microsoft’s ASR/EMET can help block Rundll32 misuse)

Author

Wojciech Lesicki

Future actions

Next Steps

Review command lines involving rundll32.exe, especially with .dll and startw.
Investigate the source of DLLs and associated hashes (e.g., imphash=a75d7669db6b2e107a44c4057ff7f7d6).
Cross-reference with threat intel and recent alert patterns.
Terminate processes if confirmed malicious and isolate the affected host.
Update rule logic or tuning thresholds as necessary.

Mitigation

Mitigation ID	Mitigation Name	Description
M1050	Exploit Protection	Microsoft's Enhanced Mitigation Experience Toolkit (EMET) and Attack Surface Reduction (ASR) rules can block techniques that abuse rundll32.exe to bypass application control mechanisms.

Resource Library

Expert Talks

SIEM basics

Cybersecurity glossary

Cloud Security

Academy

Documentation

Integrations