Potential PowerShell Obfuscation Using Character Join
Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
Sigma rule (View on GitHub)
1title: Potential PowerShell Obfuscation Using Character Join
2id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
3related:
4 - id: 96cd126d-f970-49c4-848a-da3a09f55c55
5 type: derived
6status: test
7description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
8references:
9 - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/01/09
12tags:
13 - attack.defense_evasion
14 - attack.execution
15 - attack.t1027
16 - attack.t1059.001
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 selection:
23 # Example:
24 # Set-Alias -Name Y -Value (-join("Ne","w-O","bje","ct"))
25 # Set-Alias -Name X -Value (-join("Inv","oke","-","Exp","ression"))
26 ScriptBlockText|contains|all:
27 - '-Alias' # For both "New-Alias" and "Set-Alias"
28 - ' -Value (-join('
29 condition: selection
30falsepositives:
31 - Unknown
32level: low
References
Related rules
- Potential PowerShell Obfuscation Using Alias Cmdlets
- PowerShell Base64 Encoded WMI Classes
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module