SigmaHQ/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml

title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status: experimental
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
    condition: selection
falsepositives:
    - unknown
level: medium