Invoke-Obfuscation Via Stdin

Detects Obfuscated Powershell via Stdin in Scripts

Sigma rule (View on GitHub)

 1title: Invoke-Obfuscation Via Stdin
 2id: 82b66143-53ee-4369-ab02-de2c70cd6352
 3related:
 4    - id: 487c7524-f892-4054-b263-8a0ace63fc25
 5      type: derived
 6description: Detects Obfuscated Powershell via Stdin in Scripts
 7status: unsupported
 8author: Nikita Nazarov, oscd.community
 9date: 2020/10/12
10modified: 2023/04/23
11references:
12    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task28)
13tags:
14    - attack.defense_evasion
15    - attack.t1027
16    - attack.execution
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: driver_load
21detection:
22    selection:
23        ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high```

References

Related rules

to-top