Powershell Token Obfuscation - Process Creation

calendar Aug 12, 2024 · attack.defense-evasion attack.t1027.009  ·
Share on: linkedin copy

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

Sigma rule (View on GitHub)

 1title: Powershell Token Obfuscation - Process Creation
 2id: deb9b646-a508-44ee-b7c9-d8965921c6b6
 3related:
 4    - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
 5      type: similar
 6status: test
 7description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
 8references:
 9    - https://github.com/danielbohannon/Invoke-Obfuscation
10author: frack113
11date: 2022-12-27
12modified: 2024-08-11
13tags:
14    - attack.defense-evasion
15    - attack.t1027.009
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        # Examples:
22        #   IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
23        #   &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
24        #   &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
25        - CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]'
26        # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
27        - CommandLine|re: '"(\{\d\})+"\s*-f'
28        #   ${e`Nv:pATh}
29        - CommandLine|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
30    filter_main_envpath:
31        CommandLine|contains: '${env:path}'
32    condition: selection and not 1 of filter_main_*
33falsepositives:
34    - Unknown
35level: high

References

Related rules

to-top