SigmaHQ/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
2021-08-21 09:50:59 +02:00

29 lines
932 B
YAML

title: Invoke-Obfuscation Via Use MSHTA
id: e55a5195-4724-480e-a77e-3ebe64bd3759
description: Detects Obfuscated Powershell via use MSHTA in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
date: 2020/10/08
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: powershell
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104
ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
selection_2:
EventID: 4103
Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
condition: 1 of them
falsepositives:
- Unknown
level: high