mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-09 02:26:48 +00:00
f5aa871e5d
The global document defines a "selection" identifier which is also defined the individual rules. The rule identifier is getting overwritten by the global identifier. Fix by giving unique names to the global identifier.
45 lines
1.4 KiB
YAML
45 lines
1.4 KiB
YAML
action: global
|
|
title: Invoke-Obfuscation Obfuscated IEX Invocation
|
|
id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
|
|
description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
|
|
status: experimental
|
|
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
|
|
date: 2019/11/08
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1027
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|
|
detection:
|
|
selection_1:
|
|
- ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
|
|
- ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
|
|
- ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
|
|
- ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
|
|
- ImagePath|re: '\*mdr\*\W\s*\)\.Name'
|
|
- ImagePath|re: '\$VerbosePreference\.ToString\('
|
|
- ImagePath|re: '\String\]\s*\$VerbosePreference'
|
|
condition: selection and selection_1
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: system
|
|
detection:
|
|
selection:
|
|
EventID: 7045
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID: 6
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
EventID: 4697
|