Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Sigma rule (View on GitHub)

 1title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
 2id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
 3related:
 4    - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
 5      type: derived
 6status: test
 7description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 8references:
 9    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
10author: Timur Zinniatullin, oscd.community
11date: 2020/10/18
12modified: 2022/11/29
13tags:
14    - attack.defense_evasion
15    - attack.t1027
16    - attack.execution
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: ps_module
21    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
22detection:
23    selection_4103:
24        Payload|contains|all:
25            - 'new-object'
26            - 'text.encoding]::ascii'
27        Payload|contains:
28            - 'system.io.compression.deflatestream'
29            - 'system.io.streamreader'
30        Payload|endswith: 'readtoend'
31    condition: selection_4103
32falsepositives:
33    - Unknown
34level: medium

References

Related rules

to-top