Invoke-Obfuscation CLIP+ Launcher
Detects Obfuscated use of Clip.exe to execute PowerShell
Sigma rule (View on GitHub)
1title: Invoke-Obfuscation CLIP+ Launcher
2id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3
3related:
4 - id: f7385ee2-0e0c-11eb-adc1-0242ac120002
5 type: derived
6description: Detects Obfuscated use of Clip.exe to execute PowerShell
7status: unsupported
8author: Jonathan Cheong, oscd.community
9date: 2020/10/13
10modified: 2021/09/16
11references:
12 - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 26)
13tags:
14 - attack.defense_evasion
15 - attack.t1027
16 - attack.execution
17 - attack.t1059.001
18logsource:
19 product: windows
20 category: driver_load
21detection:
22 selection:
23 ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high```
References
-
Summary Tool: Invoke-Obfuscation — PowerShell command and script obfuscation framework Author: Daniel Bohannon, @danielhbohannon Type: Offensive tool, threat simulation Materials: The Invoke-Obfusc...
Read More
Related rules
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER
- Invoke-Obfuscation STDIN+ Launcher
- Invoke-Obfuscation VAR+ Launcher
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION