Detects Obfuscated Powershell via Stdin in Scripts

2024-11-08 02:08:54 +00:00 · 2020-10-12 18:52:28 +03:00 · 2020-10-12 18:52:28 +03:00 · ec383d9784
commit ec383d9784
parent d3ee1aba66
1 changed files with 23 additions and 0 deletions
--- a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml
@ -0,0 +1,23 @@
+title: Invoke-Obfuscation Via Stdin
+id: 9c14c9fa-1a63-4a64-8e57-d19280559490
+description: Detects Obfuscated Powershell via Stdin in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high