Invoke-Obfuscation VAR+ Launcher

calendar Apr 15, 2024 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects Obfuscated use of Environment Variables to execute PowerShell

Sigma rule (View on GitHub)

 1title: Invoke-Obfuscation VAR+ Launcher
 2id: 27aec9c9-dbb0-4939-8422-1742242471d0
 3status: test
 4description: Detects Obfuscated use of Environment Variables to execute PowerShell
 5references:
 6    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
 7author: Jonathan Cheong, oscd.community
 8date: 2020/10/15
 9modified: 2024/04/15
10tags:
11    - attack.defense_evasion
12    - attack.t1027
13    - attack.execution
14    - attack.t1059.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
21        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
22        CommandLine|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top