Invoke-Obfuscation Via Use MSHTA

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Detects Obfuscated Powershell via use MSHTA in Scripts

Sigma rule (View on GitHub)

 1title: Invoke-Obfuscation Via Use MSHTA
 2id: a4e82ad2-7430-4ee8-b858-6ad6099773fa
 3related:
 4    - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
 5      type: derived
 6description: Detects Obfuscated Powershell via use MSHTA in Scripts
 7status: unsupported
 8author: Nikita Nazarov, oscd.community
 9date: 2020/10/09
10modified: 2022/03/08
11references:
12    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31)
13logsource:
14    product: windows
15    category: driver_load
16detection:
17    selection:
18        ImagePath|contains|all:
19            - 'set'
20            - '&&'
21            - 'mshta'
22            - 'vbscript:createobject'
23            - '.run'
24            - '(window.close)'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high
29tags:
30    - attack.defense_evasion
31    - attack.t1027
32    - attack.execution
33    - attack.t1059.001

References

Invoke-Obfuscation · Issue #1009 · SigmaHQ/sigma

Summary Tool: Invoke-Obfuscation — PowerShell command and script obfuscation framework Author: Daniel Bohannon, @danielhbohannon Type: Offensive tool, threat simulation Materials: The Invoke-Obfusc...

Read More

Invoke-Obfuscation Via Use MSHTA

Sigma rule (View on GitHub)

References

Invoke-Obfuscation · Issue #1009 · SigmaHQ/sigma

Related rules