From 79d22dde5879c2e25ef6bc4979a5a0705aad95df Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Mon, 20 Sep 2021 22:56:13 +0200
Subject: [PATCH] split global win_invoke_obfuscation_*

---
 ..._load_invoke_obfuscation_var+_services.yml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml

diff --git a/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml
new file mode 100644
index 000000000..2619bc83b
--- /dev/null
+++ b/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation VAR+ Launcher
+id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc
+related:
+    - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+      type: derived
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+modified: 2021/09/17
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+