Invoke-Obfuscation Via Stdin
Detects Obfuscated Powershell via Stdin in Scripts
Sigma rule (View on GitHub)
1title: Invoke-Obfuscation Via Stdin
2id: 82b66143-53ee-4369-ab02-de2c70cd6352
3related:
4 - id: 487c7524-f892-4054-b263-8a0ace63fc25
5 type: derived
6description: Detects Obfuscated Powershell via Stdin in Scripts
7status: unsupported
8author: Nikita Nazarov, oscd.community
9date: 2020/10/12
10modified: 2023/04/23
11references:
12 - https://github.com/SigmaHQ/sigma/issues/1009 #(Task28)
13tags:
14 - attack.defense_evasion
15 - attack.t1027
16 - attack.execution
17 - attack.t1059.001
18logsource:
19 product: windows
20 category: driver_load
21detection:
22 selection:
23 ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high```
References
Related rules
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER
- Invoke-Obfuscation STDIN+ Launcher
- Invoke-Obfuscation VAR+ Launcher