split global win_invoke_obfuscation_*

2021-09-20 22:56:13 +02:00
parent 10d11b7890
commit 79d22dde58
1 changed files with 28 additions and 0 deletions
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation VAR+ Launcher
+id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc
+related:
+    - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+      type: derived
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+modified: 2021/09/17
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+