Invoke-Obfuscation Obfuscated IEX Invocation

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block

Sigma rule (View on GitHub)

 1title: Invoke-Obfuscation Obfuscated IEX Invocation
 2id: 4bf943c6-5146-4273-98dd-e958fd1e3abf
 3status: test
 4description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
 5references:
 6    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
 7author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
 8date: 2019-11-08
 9modified: 2022-12-31
10tags:
11    - attack.defense-evasion
12    - attack.t1027
13    - attack.execution
14    - attack.t1059.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
21        - CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
22        - CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
23        - CommandLine|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
24        - CommandLine|re: '\*mdr\*\W\s*\)\.Name'
25        - CommandLine|re: '\$VerbosePreference\.ToString\('
26        - CommandLine|re: '\[String\]\s*\$VerbosePreference'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top