detection.wiki

Detection rules › Sigma

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module

Severity
high
Author
Daniel Bohannon (@Mandiant/@FireEye), oscd.community
Source
upstream

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell
Defense EvasionT1027 Obfuscated Files or Information

Event coverage

ProviderEvent IDTitle
PowerShell4103Payload Context: ContextInfo User Data: UserData.

Stages and Predicates

Stage 1: selection_payload

or:
Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
Payload|re: '\$VerbosePreference\.ToString\('
Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
Payload|re: '\*mdr\*\W\s*\)\.Name'
Payload|re: '\[String\]\s*\$VerbosePreference'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Payloadregex_match
  • \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
  • \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
  • \$VerbosePreference\.ToString\(
  • \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
  • \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
  • \*mdr\*\W\s*\)\.Name
  • \[String\]\s*\$VerbosePreference