Invoke-Obfuscation VAR+ Launcher - Security

 1title: Invoke-Obfuscation VAR+ Launcher - Security
 2id: dcf2db1f-f091-425b-a821-c05875b8925a
 3related:
 4    - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
 5      type: derived
 6status: test
 7description: Detects Obfuscated use of Environment Variables to execute PowerShell
 8references:
 9    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
10author: Jonathan Cheong, oscd.community
11date: 2020/10/15
12modified: 2022/11/29
13tags:
14    - attack.defense_evasion
15    - attack.t1027
16    - attack.execution
17    - attack.t1059.001
18logsource:
19    product: windows
20    service: security
21    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
22detection:
23    selection:
24        EventID: 4697
25        # ServiceFileName|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
26        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
27        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
28        ServiceFileName|contains|all:
29            - 'cmd'
30            - '"set'
31            - '-f'
32        ServiceFileName|contains:
33            - '/c'
34            - '/r'
35    condition: selection
36falsepositives:
37    - Unknown
38level: high