SigmaHQ/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml

44 lines
1.0 KiB
YAML

action: global
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 175997c5-803c-4b08-8bb0-70b099f47595
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status: experimental
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2021/05/27
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
falsepositives:
- unknown
level: medium
detection:
selection:
- ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
category: driver_load
detection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697