Invoke-Obfuscation Via Use Rundll32 - PowerShell

About the rule

Rule Type

Standard

Rule Description

rundll32.exe is a legitimate Windows utility used to execute functions from DLL files. While it serves administrative and system-level purposes, it’s often misused by attackers to execute malicious commands under the guise of a trusted process.

In this technique, obfuscated PowerShell commands invoke rundll32.exe to load shell32.dll and call the function ShellExec_RunDLL. Combined with strings like invoke, comspec, or iex, this creates a stealthy method of running malicious payloads. Because rundll32.exe is a signed Microsoft binary, its misuse often evades basic defenses and endpoint controls.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access via infected USB device → Execution → Command and Scripting Interpreter → Obfuscated PowerShell via rundll32 → Code execution → Privilege escalation

Impact

• Exploitation of vulnerabilities
• Malware execution
• Forensic evidence manipulation

Rule Requirement

Prerequisites

Log on to the Group Policy Management Console (GPMC) with domain admin privileges and enable PowerShell Module Logging in the Group Policy Management Editor. In the Module Names window, enter * to ensure all modules are recorded. Similarly, enable PowerShell Script Block Logging. Finally, create a new registry key named "Microsoft-Windows-Powershell/Operational" under the directory Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ to capture operational logs.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Obfuscated Files or Information (T1027), Execution: Command and Scripting Interpreter - PowerShell (T1059.001)

Security standard:

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you're notified of obfuscated PowerShell that calls rundll32.exe with shell32.dll and ShellExec_RunDLL. This enables you to monitor runtime environments like PowerShell.

Author

Nikita Nazarov, oscd.community

Future actions

Known False Positives

This rule might be triggered when administrative or software deployment scripts that call ShellExec_RunDLL in a controlled context are run.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell activities: Continuously monitor PowerShell executions, restrict script execution privileges to administrators only, and disable PowerShell on devices where it is not required.

Mitigation