Invoke-Obfuscation COMPRESS OBFUSCATION

 1title: Invoke-Obfuscation COMPRESS OBFUSCATION
 2id: c70731dd-0097-40ff-b112-f7032f29c16c
 3related:
 4    - id: 175997c5-803c-4b08-8bb0-70b099f47595
 5      type: derived  
 6description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 7status: unsupported
 8author: Timur Zinniatullin, oscd.community
 9date: 2020/10/18
10modified: 2023/03/04
11references:
12    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 19)
13logsource:
14    product: windows
15    category: driver_load
16detection:
17    selection:
18        ImagePath|contains|all: 
19            - 'new-object'
20            - 'text.encoding]::ascii'
21        ImagePath|contains:
22            - 'system.io.compression.deflatestream'
23            - 'system.io.streamreader'
24        ImagePath|endswith: 'readtoend'
25    condition: selection
26falsepositives:
27    - Unknown
28level: medium
29tags:
30    - attack.defense_evasion
31    - attack.t1027
32    - attack.execution
33    - attack.t1059.001

References

• Invoke-Obfuscation · Issue #1009 · SigmaHQ/sigma

  

  Summary Tool: Invoke-Obfuscation — PowerShell command and script obfuscation framework Author: Daniel Bohannon, @danielhbohannon Type: Offensive tool, threat simulation Materials: The Invoke-Obfusc...

  
  Read More

Related rules

• Invoke-Obfuscation CLIP+ Launcher
• Invoke-Obfuscation RUNDLL LAUNCHER
• Invoke-Obfuscation STDIN+ Launcher
• Invoke-Obfuscation VAR+ Launcher
• Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION