Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
Detects Obfuscated Powershell via VAR++ LAUNCHER
Sigma rule (View on GitHub)
1title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
2id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d
3related:
4 - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
5 type: derived
6description: Detects Obfuscated Powershell via VAR++ LAUNCHER
7status: unsupported
8author: Timur Zinniatullin, oscd.community
9date: 2020/10/13
10modified: 2021/09/18
11references:
12 - https://github.com/SigmaHQ/sigma/issues/1009 #(Task27)
13tags:
14 - attack.defense_evasion
15 - attack.t1027
16 - attack.execution
17 - attack.t1059.001
18logsource:
19 product: windows
20 category: driver_load
21detection:
22 selection:
23 ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
24 condition: selection
25falsepositives:
26 - Unknown
27level: high```
References
-
Summary Tool: Invoke-Obfuscation — PowerShell command and script obfuscation framework Author: Daniel Bohannon, @danielhbohannon Type: Offensive tool, threat simulation Materials: The Invoke-Obfusc...
Read More
Related rules
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER
- Invoke-Obfuscation STDIN+ Launcher
- Invoke-Obfuscation VAR+ Launcher