Invoke-Obfuscation CLIP+ Launcher

calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects Obfuscated use of Clip.exe to execute PowerShell

Sigma rule (View on GitHub)

 1title: Invoke-Obfuscation CLIP+ Launcher
 2id: b222df08-0e07-11eb-adc1-0242ac120002
 3status: test
 4description: Detects Obfuscated use of Clip.exe to execute PowerShell
 5references:
 6    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
 7author: Jonathan Cheong, oscd.community
 8date: 2020-10-13
 9modified: 2022-11-17
10tags:
11    - attack.defense-evasion
12    - attack.t1027
13    - attack.execution
14    - attack.t1059.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        # CommandLine|re: 'cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
21        # Example 1: Cmd /c" echo/Invoke-Expression (New-Object Net.WebClient).DownloadString |cLiP&& POWerSheLl -Nolog -sT . (\"{1}{2}{0}\"-f'pe','Ad',(\"{1}{0}\" -f'Ty','d-' ) ) -Assemb ( \"{5}{1}{3}{0}{2}{4}\" -f'ows','y','.F',(\"{0}{1}{2}\" -f'stem.W','i','nd'),( \"{0}{1}\"-f 'o','rms' ),'S' ) ; ([SySTEM.wiNDows.FoRmS.CLiPbOArd]::( \"{1}{0}\" -f (\"{1}{0}\" -f'T','TTeX' ),'gE' ).\"invO`Ke\"( ) ) ^| ^&( \"{5}{1}{2}{4}{3}{0}\" -f 'n',( \"{1}{0}\"-f'KE-','o' ),(\"{2}{1}{0}\"-f 'pRESS','x','e' ),'o','i','iNV') ; [System.Windows.Forms.Clipboard]::(\"{0}{1}\" -f( \"{1}{0}\"-f'e','SetT' ),'xt').\"InV`oKe\"( ' ')"
22        # Example 2: CMD/c " ECho Invoke-Expression (New-Object Net.WebClient).DownloadString|c:\WiNDowS\SySteM32\cLip && powershElL -noPRO -sTa ^& (\"{2}{0}{1}\" -f 'dd',(\"{1}{0}\"-f 'ype','-T' ),'A' ) -AssemblyN (\"{0}{3}{2}{1}{4}\"-f'Pr','nCo',(\"{0}{1}\"-f'e','ntatio'),'es','re' ) ; ^& ( ( [StRinG]${ve`RB`OSE`pr`e`FeReNCE} )[1,3] + 'x'-JoiN'') ( ( [sySTem.WInDOWs.ClipbOaRD]::( \"{1}{0}\" -f(\"{0}{1}\" -f'tTe','xt' ),'ge' ).\"IN`Vo`Ke\"( ) ) ) ; [System.Windows.Clipboard]::( \"{2}{1}{0}\" -f't',( \"{0}{1}\" -f 'tT','ex' ),'Se' ).\"In`V`oKe\"( ' ' )"
23        CommandLine|contains|all:
24            - 'cmd'
25            - '&&'
26            - 'clipboard]::'
27            - '-f'
28        CommandLine|contains:
29            - '/c'
30            - '/r'
31    condition: selection
32falsepositives:
33    - Unknown
34level: high

References

Related rules

to-top