From 0392f92a0d65601638ffa451d57e70c9322eaa67 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Tue, 27 Dec 2022 20:03:05 +0100
Subject: [PATCH] PowerShell Token Obfuscation (#3825)

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
---
 .../posh_ps_token_obfuscation.yml             | 33 +++++++++++++++++++
 ...ation_win_powershell_token_obfuscation.yml | 32 ++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
new file mode 100644
index 000000000..2c1be97b9
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
@@ -0,0 +1,33 @@
+title: Powershell Token Obfuscation - Powershell
+id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
+related:
+    - id: deb9b646-a508-44ee-b7c9-d8965921c6b6
+      type: similar
+status: experimental
+description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
+references:
+    - https://github.com/danielbohannon/Invoke-Obfuscation
+author: frack113
+date: 2022/12/27
+tags:
+    - attack.defense_evasion
+    - attack.t1027.009
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        # Examples:
+        #   IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
+        #   &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
+        #   &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
+        #   ${e`Nv:pATh}
+        - ScriptBlockText|re: '\w+\`(\w+|-|.)\`[\w+|\s]'
+        #- ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
+        - ScriptBlockText|re: '"({\d})+"\s*-f'
+        - ScriptBlockText|re: '\${((e|n|v)*`(e|n|v)*)+:path}|\${((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+}|\${env:((p|a|t|h)*`(p|a|t|h)*)+}'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml
new file mode 100644
index 000000000..ba81c6cfb
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml
@@ -0,0 +1,32 @@
+title: Powershell Token Obfuscation - Process Creation
+id: deb9b646-a508-44ee-b7c9-d8965921c6b6
+related:
+    - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
+      type: similar
+status: experimental
+description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
+references:
+    - https://github.com/danielbohannon/Invoke-Obfuscation
+author: frack113
+date: 2022/12/27
+tags:
+    - attack.defense_evasion
+    - attack.t1027.009
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        # Examples:
+        #   IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
+        #   &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
+        #   &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
+        #   ${e`Nv:pATh}
+        - CommandLine|re: '\w+\`(\w+|-|.)\`[\w+|\s]'
+        #- CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
+        - CommandLine|re: '\"({\d})+\"\s*-f'
+        - CommandLine|re: '\${((e|n|v)*`(e|n|v)*)+:path}|\${((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+}|\${env:((p|a|t|h)*`(p|a|t|h)*)+}'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high