Powershell Token Obfuscation - Process Creation
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Sigma rule (View on GitHub)
1title: Powershell Token Obfuscation - Process Creation
2id: deb9b646-a508-44ee-b7c9-d8965921c6b6
3related:
4 - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
5 type: similar
6status: test
7description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
8references:
9 - https://github.com/danielbohannon/Invoke-Obfuscation
10author: frack113
11date: 2022/12/27
12modified: 2022/12/30
13tags:
14 - attack.defense_evasion
15 - attack.t1027.009
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 # Examples:
22 # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
23 # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
24 # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
25 # ${e`Nv:pATh}
26 - CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]'
27 # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
28 - CommandLine|re: '"(\{\d\})+"\s*-f'
29 - CommandLine|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
30 condition: selection
31falsepositives:
32 - Unknown
33level: high
References
-
PowerShell Obfuscator. Contribute to danielbohannon/Invoke-Obfuscation development by creating an account on GitHub.
Read More
Related rules
- Powershell Token Obfuscation - Powershell
- AgentExecutor PowerShell Execution
- Change User Account Associated with the FAX Service
- Change the Fax Dll
- Exchange PowerShell Cmdlet History Deleted