From b78a1f326738c49f366deb4f163c19010a434f26 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 11 Jul 2022 18:23:34 +0200
Subject: [PATCH] rule: suspicious PS encoded & obfuscated

---
 ...oc_creation_win_susp_ps_encoded_obfusc.yml | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml

diff --git a/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml b/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml
new file mode 100644
index 000000000..3055c5185
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml
@@ -0,0 +1,52 @@
+title: Suspicious PowerShell Obfuscated PowerShell Code
+id: 8d01b53f-456f-48ee-90f6-bc28e67d4e35
+status: experimental
+description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
+author: Florian Roth
+references:
+  - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/
+date: 2022/07/11
+tags:
+  - attack.defense_evasion
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    CommandLine|contains:
+      #  -bxor 0x
+      - 'IAAtAGIAeABvAHIAIAAwAHgA'
+      - 'AALQBiAHgAbwByACAAMAB4A'
+      - 'gAC0AYgB4AG8AcgAgADAAeA'
+      # .Invoke() | 
+      - 'AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg'
+      - 'AuAEkAbgB2AG8AawBlACgAKQAgAHwAI'
+      - 'ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC'
+      # {1}{0}" -f 
+      # {0}{3}" -f 
+      # {2}{0}" -f 
+      - 'AHsAMQB9AHsAMAB9ACIAIAAtAGYAI'
+      - 'B7ADEAfQB7ADAAfQAiACAALQBmAC'
+      - 'AewAxAH0AewAwAH0AIgAgAC0AZgAg'
+      - 'AHsAMAB9AHsAMwB9ACIAIAAtAGYAI'
+      - 'B7ADAAfQB7ADMAfQAiACAALQBmAC'
+      - 'AewAwAH0AewAzAH0AIgAgAC0AZgAg'
+      - 'AHsAMgB9AHsAMAB9ACIAIAAtAGYAI'
+      - 'B7ADIAfQB7ADAAfQAiACAALQBmAC'
+      - 'AewAyAH0AewAwAH0AIgAgAC0AZgAg'
+      # {1}{0}' -f 
+      # {0}{3}' -f 
+      # {2}{0}' -f 
+      - 'AHsAMQB9AHsAMAB9ACcAIAAtAGYAI'
+      - 'B7ADEAfQB7ADAAfQAnACAALQBmAC'
+      - 'AewAxAH0AewAwAH0AJwAgAC0AZgAg'
+      - 'AHsAMAB9AHsAMwB9ACcAIAAtAGYAI'
+      - 'B7ADAAfQB7ADMAfQAnACAALQBmAC'
+      - 'AewAwAH0AewAzAH0AJwAgAC0AZgAg'
+      - 'AHsAMgB9AHsAMAB9ACcAIAAtAGYAI'
+      - 'B7ADIAfQB7ADAAfQAnACAALQBmAC'
+      - 'AewAyAH0AewAwAH0AJwAgAC0AZgAg'
+  condition: selection
+falsepositives:
+  - Unknown
+level: high