Powershell Token Obfuscation - Powershell
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Sigma rule (View on GitHub)
1title: Powershell Token Obfuscation - Powershell
2id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
3related:
4 - id: deb9b646-a508-44ee-b7c9-d8965921c6b6
5 type: similar
6status: test
7description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
8references:
9 - https://github.com/danielbohannon/Invoke-Obfuscation
10author: frack113
11date: 2022/12/27
12modified: 2023/03/24
13tags:
14 - attack.defense_evasion
15 - attack.t1027.009
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 # Examples:
23 # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
24 # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
25 # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
26 # ${e`Nv:pATh}
27 - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
28 # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
29 - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting
30 - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
31 filter_chocolatey:
32 ScriptBlockText|contains:
33 - 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey
34 - 'The function also prevents `Get-ItemProperty` from failing' # https://docs.chocolatey.org/en-us/create/functions/get-uninstallregistrykey
35 filter_exchange:
36 Path|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
37 Path|endswith: '\bin\servicecontrol.ps1'
38 ScriptBlockText|contains: '`r`n'
39 condition: selection and not 1 of filter_*
40falsepositives:
41 - Unknown
42level: high
References
Related rules
- Powershell Token Obfuscation - Process Creation
- BITS Transfer Job Download From Direct IP
- BITS Transfer Job Download To Potential Suspicious Folder
- BITS Transfer Job Downloading File Potential Suspicious Extension
- BITS Transfer Job With Uncommon Or Suspicious Remote TLD