Invoke-Obfuscation Via Use Rundll32 - PowerShell Module

Oct 17, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Detects Obfuscated Powershell via use Rundll32 in Scripts

Sigma rule (View on GitHub)

 1title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
 2id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
 3related:
 4    - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
 5      type: derived
 6status: test
 7description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 8references:
 9    - https://github.com/SigmaHQ/sigma/issues/1009
10author: Nikita Nazarov, oscd.community
11date: 2019/10/08
12modified: 2022/11/29
13tags:
14    - attack.defense_evasion
15    - attack.t1027
16    - attack.execution
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: ps_module
21    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
22detection:
23    selection_4103:
24        Payload|contains|all:
25            - '&&'
26            - 'rundll32'
27            - 'shell32.dll'
28            - 'shellexec_rundll'
29        Payload|contains:
30            - 'value'
31            - 'invoke'
32            - 'comspec'
33            - 'iex'
34    condition: selection_4103
35falsepositives:
36    - Unknown
37level: high

References

Invoke-Obfuscation · Issue #1009 · SigmaHQ/sigma

Summary Tool: Invoke-Obfuscation — PowerShell command and script obfuscation framework Author: Daniel Bohannon, @danielhbohannon Type: Offensive tool, threat simulation Materials: The Invoke-Obfusc...

Read More

Invoke-Obfuscation Via Use Rundll32 - PowerShell Module

Sigma rule (View on GitHub)

References

Invoke-Obfuscation · Issue #1009 · SigmaHQ/sigma

Related rules