Invoke-Obfuscation COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Sigma rule (View on GitHub)
1title: Invoke-Obfuscation COMPRESS OBFUSCATION
2id: c70731dd-0097-40ff-b112-f7032f29c16c
3related:
4 - id: 175997c5-803c-4b08-8bb0-70b099f47595
5 type: derived
6description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
7status: unsupported
8author: Timur Zinniatullin, oscd.community
9date: 2020/10/18
10modified: 2023/03/04
11references:
12 - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 19)
13logsource:
14 product: windows
15 category: driver_load
16detection:
17 selection:
18 ImagePath|contains|all:
19 - 'new-object'
20 - 'text.encoding]::ascii'
21 ImagePath|contains:
22 - 'system.io.compression.deflatestream'
23 - 'system.io.streamreader'
24 ImagePath|endswith: 'readtoend'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
29tags:
30 - attack.defense_evasion
31 - attack.t1027
32 - attack.execution
33 - attack.t1059.001
References
-
Summary Tool: Invoke-Obfuscation — PowerShell command and script obfuscation framework Author: Daniel Bohannon, @danielhbohannon Type: Offensive tool, threat simulation Materials: The Invoke-Obfusc...
Read More
Related rules
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation RUNDLL LAUNCHER
- Invoke-Obfuscation STDIN+ Launcher
- Invoke-Obfuscation VAR+ Launcher
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION