From 5bd75521f275becd2bd9c181bc3dad2d40eb3ac7 Mon Sep 17 00:00:00 2001
From: Timur Zinniatullin <zinin.t@gmail.com>
Date: Tue, 13 Oct 2020 02:23:50 +0300
Subject: [PATCH] Add win_invoke_obfuscation_via_var++.yml

---
 .../win_invoke_obfuscation_via_var++.yml      | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml

diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
new file mode 100644
index 000000000..1fd2993b4
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
\ No newline at end of file