SigmaHQ/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml

28 lines
840 B
YAML
Raw Normal View History

title: Invoke-Obfuscation RUNDLL LAUNCHER
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
status: experimental
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: powershell
detection:
selection_1:
EventID: 4104
ScriptBlockText|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
selection_2:
EventID: 4103
Payload|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
condition: selection_1 or selection_2
falsepositives:
- Unknown
level: medium