detection.wiki

Detection rules › Sigma

Invoke-Obfuscation Obfuscated IEX Invocation - Security

Severity
high
Author
Daniel Bohannon (@Mandiant/@FireEye), oscd.community
Source
upstream

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1027 Obfuscated Files or Information

Event coverage

ProviderEvent IDTitle
Security-Auditing4697A service was installed in the system.

Stages and Predicates

Stage 1: all of selection_eid

Stage 2: all of selection_servicefilename

or:
ServiceFileName|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
ServiceFileName|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
ServiceFileName|re: '\$VerbosePreference\.ToString\('
ServiceFileName|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
ServiceFileName|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
ServiceFileName|re: '\String\]\s*\$VerbosePreference'
ServiceFileName|re: '\\*mdr\*\W\s*\)\.Name'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ServiceFileNameregex_match
  • \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
  • \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
  • \$VerbosePreference\.ToString\(
  • \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
  • \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
  • \String\]\s*\$VerbosePreference
  • \\*mdr\*\W\s*\)\.Name

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.