Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects Obfuscated Powershell via VAR++ LAUNCHER

Sigma rule (View on GitHub)

 1title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
 2id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
 3related:
 4    - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
 5      type: derived
 6status: test
 7description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 8references:
 9    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
10author: Timur Zinniatullin, oscd.community
11date: 2020-10-13
12modified: 2022-11-29
13tags:
14    - attack.defense-evasion
15    - attack.t1027
16    - attack.execution
17    - attack.t1059.001
18logsource:
19    product: windows
20    service: security
21    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
22detection:
23    selection:
24        EventID: 4697
25        # ServiceFileName|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
26        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
27        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
28        ServiceFileName|contains|all:
29            - '&&set'
30            - 'cmd'
31            - '/c'
32            - '-f'
33        ServiceFileName|contains:
34            - '{0}'
35            - '{1}'
36            - '{2}'
37            - '{3}'
38            - '{4}'
39            - '{5}'
40    condition: selection
41falsepositives:
42    - Unknown
43level: high

References

Related rules

to-top