Merge pull request #1108 from NikitaStormwind/regular30(3)

[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (Services)

rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml

@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation Via Use Rundll32
+id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+falsepositives:
+    - Unknown
+level: high
+detection:
+    selection_1:
+        - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+    condition: selection and selection_1
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 7045
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 6
+---
+ logsource:
+     product: windows
+     service: security
+ detection:
+     selection:
+         EventID: 4697