Invoke-Obfuscation Via Use Rundll32

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Detects Obfuscated Powershell via use Rundll32 in Scripts

Sigma rule (View on GitHub)

 1title: Invoke-Obfuscation Via Use Rundll32
 2id: 4e1518d9-2136-4015-ab49-c31d7c8588e1
 3related:
 4    - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
 5      type: derived
 6description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 7status: unsupported
 8author: Nikita Nazarov, oscd.community
 9date: 2020/10/09
10modified: 2022/03/08
11references:
12    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task30)
13logsource:
14    product: windows
15    category: driver_load
16detection:
17    selection:
18        ImagePath|contains|all: 
19            - '&&'
20            - 'rundll32'
21            - 'shell32.dll'
22            - 'shellexec_rundll'
23        ImagePath|contains:     
24            - 'value'
25            - 'invoke'
26            - 'comspec'
27            - 'iex'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high
32tags:
33    - attack.defense_evasion
34    - attack.t1027
35    - attack.execution
36    - attack.t1059.001

References

Invoke-Obfuscation · Issue #1009 · SigmaHQ/sigma

Summary Tool: Invoke-Obfuscation — PowerShell command and script obfuscation framework Author: Daniel Bohannon, @danielhbohannon Type: Offensive tool, threat simulation Materials: The Invoke-Obfusc...

Read More

Invoke-Obfuscation Via Use Rundll32

Sigma rule (View on GitHub)

References

Invoke-Obfuscation · Issue #1009 · SigmaHQ/sigma

Related rules