Invoke-Obfuscation Obfuscated IEX Invocation - System
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Sigma rule (View on GitHub)
1title: Invoke-Obfuscation Obfuscated IEX Invocation - System
2id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
3status: test
4description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
5references:
6 - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
7author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
8date: 2019-11-08
9modified: 2022-11-27
10tags:
11 - attack.defense-evasion
12 - attack.t1027
13logsource:
14 product: windows
15 service: system
16detection:
17 selection_eid:
18 EventID: 7045
19 selection_imagepath:
20 - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
21 - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
22 - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
23 - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
24 - ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
25 - ImagePath|re: '\$VerbosePreference\.ToString\('
26 - ImagePath|re: '\String\]\s*\$VerbosePreference'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- Base64 Encoded PowerShell Command Detected
- Certificate Exported Via Certutil.EXE
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Decode Base64 Encoded Text
- Decode Base64 Encoded Text -MacOs