Invoke-Obfuscation VAR+ Launcher
Detects Obfuscated use of Environment Variables to execute PowerShell
Sigma rule (View on GitHub)
1title: Invoke-Obfuscation VAR+ Launcher
2id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc
3related:
4 - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
5 type: derived
6description: Detects Obfuscated use of Environment Variables to execute PowerShell
7status: unsupported
8author: Jonathan Cheong, oscd.community
9date: 2020/10/15
10modified: 2021/09/17
11references:
12 - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 24)
13tags:
14 - attack.defense_evasion
15 - attack.t1027
16 - attack.execution
17 - attack.t1059.001
18logsource:
19 product: windows
20 category: driver_load
21detection:
22 selection:
23 ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
Summary Tool: Invoke-Obfuscation — PowerShell command and script obfuscation framework Author: Daniel Bohannon, @danielhbohannon Type: Offensive tool, threat simulation Materials: The Invoke-Obfusc...
Read More
Related rules
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER
- Invoke-Obfuscation STDIN+ Launcher
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION