Creation of Rules for Task 24 - Invoke-Obfuscation VAR+ Launcher

rules/windows/builtin/win_invoke_obfuscation_var+_services.yml

@@ -0,0 +1,43 @@
+action: global
+title: Invoke-Obfuscation VAR+ Launcher
+id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+falsepositives:
+    - Unknown
+level: high
+detection:
+    selection_1:
+        - ImagePath|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression'
+        - ImagePath|re: '(\"(?:\{\d\}){1,7}\\){1,5}'
+    condition: selection and selection_1
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 7045
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 6
+---
+ logsource:
+     product: windows
+     service: security
+ detection:
+     selection:
+         EventID: 4697

rules/windows/powershell/powershell_invoke_obfuscation_var+.yml

@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation VAR+ Launcher
+id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+detection:
+    selection_1:
+        EventID: 4104
+    selection_2:
+        - ScriptBlockText|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression'
+        - ScriptBlockText|re: '(\"(?:\{\d\}){1,7}\\){1,5}'
+    selection_3:
+        EventID: 4103
+    selection_4:
+        - Payload|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression'
+        - Payload|re: '(\"(?:\{\d\}){1,7}\\){1,5}'
+    condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/win_invoke_obfuscation_var+.yml

@@ -0,0 +1,24 @@
+title: Invoke-Obfuscation VAR+ Launcher
+id: 27aec9c9-dbb0-4939-8422-1742242471d0
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - CommandLine|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression'
+        - CommandLine|re: '(\"(?:\{\d\}){1,7}\\){1,5}'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high