split global win_invoke_obfuscation_*

rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml

@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3
+related:
+    - id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+      type: derived
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+modified: 2021/09/16
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: high

rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+id: e75c48bd-3434-4d61-94b7-ddfaa2c08487
+related:
+    - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
+      type: derived
+description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+status: experimental
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+modified: 2021/09/16
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
+        - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
+        - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
+        - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
+        - ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
+        - ImagePath|re: '\$VerbosePreference\.ToString\('
+        - ImagePath|re: '\String\]\s*\$VerbosePreference'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml

@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e
+related:
+    - id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+      type: derived
+description: Detects Obfuscated use of stdin to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+modified: 2021/09/17
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: high

rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml

@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+id: c70731dd-0097-40ff-b112-f7032f29c16c
+related:
+    - id: 175997c5-803c-4b08-8bb0-70b099f47595
+      type: derived  
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+
+    selection:
+        ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+    condition: selection
+falsepositives:
+    - unknown
+level: medium

rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml

@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c
+related:
+    - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+      type: derived
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: medium

rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml

@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Stdin
+id: 82b66143-53ee-4369-ab02-de2c70cd6352
+related:
+    - id: 487c7524-f892-4054-b263-8a0ace63fc25
+      type: derived
+description: Detects Obfuscated Powershell via Stdin in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml

@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Use Clip
+id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851
+related:
+    - id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+      type: derived
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml

@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Use MSHTA
+id: a4e82ad2-7430-4ee8-b858-6ad6099773fa
+related:
+    - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+      type: derived
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml

@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Use Rundll32
+id: 4e1518d9-2136-4015-ab49-c31d7c8588e1
+related:
+    - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+      type: derived
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml

@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d
+related:
+    - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+      type: derived
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml

@@ -0,0 +1,30 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
+related:
+    - id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+      type: derived
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+modified: 2021/09/16
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697
+    selection:
+        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml

@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+id: fd0f5778-d3cb-4c9a-9695-66759d04702a
+related:
+    - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
+      type: derived
+description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+status: experimental
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+modified: 2021/09/16
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4697
+    selection_1:
+        - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
+        - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
+        - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
+        - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
+        - ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
+        - ImagePath|re: '\$VerbosePreference\.ToString\('
+        - ImagePath|re: '\String\]\s*\$VerbosePreference'
+    condition: selection and selection_1
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
+related:
+    - id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+      type: derived
+description: Detects Obfuscated use of stdin to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+modified: 2021/09/17
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697
+    selection:
+        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml

@@ -0,0 +1,30 @@
+title: Invoke-Obfuscation VAR+ Launcher
+id: dcf2db1f-f091-425b-a821-c05875b8925a
+related:
+    - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+      type: derived
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+modified: 2021/09/17
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697
+    selection:
+        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+    condition: all of them
+falsepositives:
+    - Unknown
+level: high
+

rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
+related:
+    - id: 175997c5-803c-4b08-8bb0-70b099f47595
+      type: derived  
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697 
+    selection:
+        ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+    condition: selection and selection_eventid
+falsepositives:
+    - unknown
+level: medium

rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
+related:
+    - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+      type: derived
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697 
+    selection:
+        ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: medium

rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Via Stdin
+id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
+related:
+    - id: 487c7524-f892-4054-b263-8a0ace63fc25
+      type: derived
+description: Detects Obfuscated Powershell via Stdin in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697
+    selection:
+        ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml

@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation Via Use Clip
+id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
+related:
+    - id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+      type: derived
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697
+    selection:
+        ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high
+
+

rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Via Use MSHTA
+id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
+related:
+    - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+      type: derived
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697
+    selection:
+        ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Via Use Rundll32
+id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
+related:
+    - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+      type: derived
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697
+    selection:
+        ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
+related:
+    - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+      type: derived
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+modified: 2021/09/18
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_eventid:
+        EventID: 4697
+    selection:
+        ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high