Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via VAR++ LAUNCHER

Sigma rule (View on GitHub)

 1title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
 2id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
 3related:
 4    - id: e54f5149-6ba3-49cf-b153-070d24679126
 5      type: derived
 6status: test
 7description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 8references:
 9    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
10author: Timur Zinniatullin, oscd.community
11date: 2020-10-13
12modified: 2024-04-05
13tags:
14    - attack.defense-evasion
15    - attack.t1027
16    - attack.execution
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: ps_module
21    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
22detection:
23    selection_4103:
24        Payload|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
25    condition: selection_4103
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top