Powershell Token Obfuscation - Process Creation

Severity: high
Author: frack113
Source: upstream

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1027.009` Obfuscated Files or Information: Embedded Payloads

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `selection`

or:
CommandLine|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
CommandLine|re: '"(\{\d\})+"\s*-f'
CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]'

Stage 2: `not 1 of filter_main_envpath`

CommandLine|contains: '${env:path}'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`${env:path}`
`CommandLine`	regex_match	`"(\{\d\})+"\s*-f` (?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\} \w+`(\w+\|-\|.)`[\w+\|\s]