Invoke-Obfuscation Obfuscated IEX Invocation
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
Sigma rule (View on GitHub)
1title: Invoke-Obfuscation Obfuscated IEX Invocation
2id: 4bf943c6-5146-4273-98dd-e958fd1e3abf
3status: test
4description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
5references:
6 - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
7author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
8date: 2019-11-08
9modified: 2022-12-31
10tags:
11 - attack.defense-evasion
12 - attack.t1027
13 - attack.execution
14 - attack.t1059.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 - CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
21 - CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
22 - CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
23 - CommandLine|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
24 - CommandLine|re: '\*mdr\*\W\s*\)\.Name'
25 - CommandLine|re: '\$VerbosePreference\.ToString\('
26 - CommandLine|re: '\[String\]\s*\$VerbosePreference'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
- Invoke-Obfuscation CLIP+ Launcher - Security