security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml
T
Florian Roth ce4cdf06f0 fix: Service Installation 7045 field confusion
2022-03-21 11:10:03 +01:00

29 lines
743 B
YAML
Raw Blame History

title: Invoke-Obfuscation CLIP+ Launcher
id: f7385ee2-0e0c-11eb-adc1-0242ac120002
description: Detects Obfuscated use of Clip.exe to execute PowerShell
status: experimental
author: Jonathan Cheong, oscd.community
date: 2020/10/13
modified: 2022/02/03
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'cmd'
- 'clip'
- 'clipboard]::'
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink