diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml new file mode 100644 index 000000000..d583e05d3 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -0,0 +1,43 @@ +action: global +title: Invoke-Obfuscation VAR+ Launcher +id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection_1: + - ImagePath|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' + - ImagePath|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml new file mode 100644 index 000000000..1434326e0 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -0,0 +1,31 @@ +title: Invoke-Obfuscation VAR+ Launcher +id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' + - ScriptBlockText|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + selection_3: + EventID: 4103 + selection_4: + - Payload|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' + - Payload|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml new file mode 100644 index 000000000..52422dd0c --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml @@ -0,0 +1,24 @@ +title: Invoke-Obfuscation VAR+ Launcher +id: 27aec9c9-dbb0-4939-8422-1742242471d0 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' + - CommandLine|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file