detection.wiki

Detection rules › Sigma

Invoke-Obfuscation Obfuscated IEX Invocation

Severity
high
Author
Daniel Bohannon (@Mandiant/@FireEye), oscd.community
Source
upstream

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell
Defense EvasionT1027 Obfuscated Files or Information

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
CommandLine|re: '\$VerbosePreference\.ToString\('
CommandLine|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
CommandLine|re: '\*mdr\*\W\s*\)\.Name'
CommandLine|re: '\[String\]\s*\$VerbosePreference'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLineregex_match
  • \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
  • \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
  • \$VerbosePreference\.ToString\(
  • \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
  • \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
  • \*mdr\*\W\s*\)\.Name
  • \[String\]\s*\$VerbosePreference