split global win_invoke_obfuscation_*

rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml

@@ -1,10 +1,10 @@
-action: global
 title: Invoke-Obfuscation CLIP+ Launcher
+id: f7385ee2-0e0c-11eb-adc1-0242ac120002
 description: Detects Obfuscated use of Clip.exe to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
-modified: 2021/08/14
+modified: 2021/09/16
 references:
      - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
 tags:
@@ -12,34 +12,15 @@ tags:
     - attack.t1027
     - attack.execution
     - attack.t1059.001
-falsepositives:
-    - Unknown
-level: high
-detection:
-    selection:
-        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
-    condition: selection and selection_eventid
----
-id: f7385ee2-0e0c-11eb-adc1-0242ac120002
 logsource:
     product: windows
     service: system
 detection:
     selection_eventid:
         EventID: 7045
----
-id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3
-logsource:
-    product: windows
-    category: driver_load
-detection:
-    selection_eventid:
-        EventID: 6
----
-id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_eventid:
-        EventID: 4697
+    selection:
+        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml

@@ -1,16 +1,19 @@
-action: global
 title: Invoke-Obfuscation Obfuscated IEX Invocation
+id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
 description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
 status: experimental
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
 date: 2019/11/08
+modified: 2021/09/16
 tags:
     - attack.defense_evasion
     - attack.t1027
-falsepositives:
-    - Unknown
-level: high
+logsource:
+    product: windows
+    service: system
 detection:
+    selection:
+        EventID: 7045
     selection_1:
         - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
         - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
@@ -20,27 +23,6 @@ detection:
         - ImagePath|re: '\$VerbosePreference\.ToString\('
         - ImagePath|re: '\String\]\s*\$VerbosePreference'
     condition: selection and selection_1
----
-id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
----
-id: e75c48bd-3434-4d61-94b7-ddfaa2c08487
-logsource:
-    product: windows
-    category: driver_load
-detection:
-    selection:
-        EventID: 6
----
-id: fd0f5778-d3cb-4c9a-9695-66759d04702a
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4697
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml

@@ -1,10 +1,10 @@
-action: global
 title: Invoke-Obfuscation STDIN+ Launcher
+id: 72862bf2-0eb1-11eb-adc1-0242ac120002
 description: Detects Obfuscated use of stdin to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
-modified: 2021/08/09
+modified: 2021/09/17
 references:
      - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
 tags:
@@ -12,34 +12,15 @@ tags:
     - attack.t1027
     - attack.execution
     - attack.t1059.001
-falsepositives:
-    - Unknown
-level: high
-detection:
-    selection:
-        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
-    condition: selection and selection_eventid
----
-id: 72862bf2-0eb1-11eb-adc1-0242ac120002
 logsource:
     product: windows
     service: system
 detection:
     selection_eventid:
         EventID: 7045
----
-id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e
-logsource:
-    product: windows
-    category: driver_load
-detection:
-    selection_eventid:
-        EventID: 6
----
-id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_eventid:
-        EventID: 4697
+    selection:
+        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_var+_services.yml

@@ -1,10 +1,10 @@
-action: global
 title: Invoke-Obfuscation VAR+ Launcher
+id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
 description: Detects Obfuscated use of Environment Variables to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
-modified: 2021/08/09
+modified: 2021/09/17
 references:
      - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
 tags:
@@ -12,31 +12,15 @@ tags:
     - attack.t1027
     - attack.execution
     - attack.t1059.001
-falsepositives:
-    - Unknown
-level: high
-detection:
-    selection:
-        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
-    condition: all of them
----
-id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
 logsource:
     product: windows
     service: system
 detection:
     selection_eventid:
         EventID: 7045
----
-id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc
-logsource:
-    product: windows
-    category: process_creation
----
-id: dcf2db1f-f091-425b-a821-c05875b8925a
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_eventid:
-        EventID: 4697
+    selection:
+        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+    condition: all of them
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml

@@ -1,5 +1,5 @@
-action: global
 title: Invoke-Obfuscation COMPRESS OBFUSCATION
+id: 175997c5-803c-4b08-8bb0-70b099f47595
 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: experimental
 author: Timur Zinniatullin, oscd.community
@@ -15,31 +15,12 @@ tags:
 falsepositives:
     - unknown
 level: medium
-detection:
-    selection:
-        ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
-    condition: selection and selection_eventid
----
-id: 175997c5-803c-4b08-8bb0-70b099f47595
 logsource:
     product: windows
     service: system
 detection:
     selection_eventid:
         EventID: 7045
----
-id: c70731dd-0097-40ff-b112-f7032f29c16c
-logsource:
-    product: windows
-    category: driver_load
-detection:
-    selection_eventid:
-        EventID: 6
----
-id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_eventid:
-        EventID: 4697 
+    selection:
+        ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+    condition: selection and selection_eventid

rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml

@@ -1,10 +1,10 @@
-action: global
 title: Invoke-Obfuscation RUNDLL LAUNCHER
+id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/08/09
+modified: 2021/09/18
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
 tags:
@@ -12,34 +12,15 @@ tags:
     - attack.t1027
     - attack.execution
     - attack.t1059.001
-falsepositives:
-    - Unknown
-level: medium
-detection:
-    selection:
-        ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
-    condition: selection and selection_eventid
----
-id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
 logsource:
     product: windows
     service: system
 detection:
     selection_eventid:
         EventID: 7045
----
-id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c
-logsource:
-    product: windows
-    category: driver_load
-detection:
-    selection_eventid:
-        EventID: 6
----
-id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_eventid:
-        EventID: 4697 
+    selection:
+        ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: medium

rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml

@@ -1,10 +1,10 @@
-action: global
 title: Invoke-Obfuscation Via Stdin
+id: 487c7524-f892-4054-b263-8a0ace63fc25
 description: Detects Obfuscated Powershell via Stdin in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/12
-modified: 2021/08/09
+modified: 2021/09/18
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
 tags:
@@ -12,34 +12,15 @@ tags:
     - attack.t1027
     - attack.execution
     - attack.t1059.001
-falsepositives:
-    - Unknown
-level: high
-detection:
-    selection:
-        ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
-    condition: selection and selection_eventid
----
-id: 487c7524-f892-4054-b263-8a0ace63fc25
 logsource:
     product: windows
     service: system
 detection:
     selection_eventid:
         EventID: 7045
----
-id: 82b66143-53ee-4369-ab02-de2c70cd6352
-logsource:
-    product: windows
-    category: driver_load
-detection:
-    selection_eventid:
-        EventID: 6
----
-id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_eventid:
-        EventID: 4697
+    selection:
+        ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml

@@ -1,10 +1,10 @@
-action: global
 title: Invoke-Obfuscation Via Use Clip
+id: 63e3365d-4824-42d8-8b82-e56810fefa0c
 description: Detects Obfuscated Powershell via use Clip.exe in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/08/09
+modified: 2021/09/18
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
 tags:
@@ -12,34 +12,15 @@ tags:
     - attack.t1027
     - attack.execution
     - attack.t1059.001
-falsepositives:
-    - Unknown
-level: high
-detection:
-    selection:
-        ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
-    condition: selection and selection_eventid
----
-id: 63e3365d-4824-42d8-8b82-e56810fefa0c
 logsource:
     product: windows
     service: system
 detection:
     selection_eventid:
         EventID: 7045
----
-id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851
-logsource:
-    product: windows
-    category: driver_load
-detection:
-    selection_eventid:
-        EventID: 6
----
-id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_eventid:
-        EventID: 4697
+    selection:
+        ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml

@@ -1,10 +1,10 @@
-action: global
 title: Invoke-Obfuscation Via Use MSHTA
+id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
 description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/08/09
+modified: 2021/09/18
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
 tags:
@@ -12,34 +12,15 @@ tags:
     - attack.t1027
     - attack.execution
     - attack.t1059.001
-falsepositives:
-    - Unknown
-level: high
-detection:
-    selection:
-        ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
-    condition: selection and selection_eventid
----
-id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
 logsource:
     product: windows
     service: system
 detection:
     selection_eventid:
         EventID: 7045
----
-id: a4e82ad2-7430-4ee8-b858-6ad6099773fa
-logsource:
-    product: windows
-    category: driver_load
-detection:
-    selection_eventid:
-        EventID: 6
----
-id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_eventid:
-        EventID: 4697
+    selection:
+        ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml

@@ -1,10 +1,10 @@
-action: global
 title: Invoke-Obfuscation Via Use Rundll32
+id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
 description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/08/09
+modified: 2021/09/18
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
 tags:
@@ -12,34 +12,15 @@ tags:
     - attack.t1027
     - attack.execution
     - attack.t1059.001
-falsepositives:
-    - Unknown
-level: high
-detection:
-    selection:
-        ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
-    condition: selection and selection_eventid
----
-id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
 logsource:
     product: windows
     service: system
 detection:
     selection_eventid:
         EventID: 7045
----
-id: 4e1518d9-2136-4015-ab49-c31d7c8588e1
-logsource:
-    product: windows
-    category: driver_load
-detection:
-    selection_eventid:
-        EventID: 6
----
-id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_eventid:
-        EventID: 4697
+    selection:
+        ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml

@@ -1,10 +1,10 @@
-action: global
 title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
 description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
-modified: 2021/08/09
+modified: 2021/09/18
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 tags:
@@ -12,34 +12,15 @@ tags:
     - attack.t1027
     - attack.execution
     - attack.t1059.001
-falsepositives:
-    - Unknown
-level: high
-detection:
-    selection:
-        ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
-    condition: selection and selection_eventid
----
-id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
 logsource:
     product: windows
     service: system
 detection:
     selection_eventid:
         EventID: 7045
----
-id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d
-logsource:
-    product: windows
-    category: driver_load
-detection:
-    selection_eventid:
-        EventID: 6
----
-id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_eventid:
-        EventID: 4697
+    selection:
+        ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+    condition: selection and selection_eventid
+falsepositives:
+    - Unknown
+level: high