valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
30f7dad901
SigmaHQ/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
Timur Zinniatullin 30f7dad901
Add win_invoke_obfuscation_via_compress_services.yml
2020-10-18 19:50:30 +03:00

42 lines
1004 B
YAML
Raw Blame History

action: global
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 175997c5-803c-4b08-8bb0-70b099f47595
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status: experimental
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
falsepositives:
- unknown
level: medium
detection:
selection_1:
- ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
condition: selection and selection_1
---
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
Reference in New Issue View Git Blame Copy Permalink