diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml
new file mode 100644
index 000000000..bce2ea533
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Via Use Rundll32
+id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+references: 
+    - https://github.com/Neo23x0/sigma/issues/1009
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+detection:
+    selection_1:
+        EventID: 4104
+    selection_2:
+        - ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+    selection_3:
+        EventID: 4103
+    selection_4:
+        - Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+    condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )
+falsepositives:
+    - Unknown
+level: high