Invoke-Obfuscation Obfuscated IEX Invocation - System

Severity: high
Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
Source: upstream

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1027` Obfuscated Files or Information

Event coverage

Provider	Event ID	Title
Service-Control-Manager	7045

Stages and Predicates

Stage 1: `all of selection_eid`

Stage 2: `all of selection_imagepath`

or:
ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
ImagePath|re: '\$VerbosePreference\.ToString\('
ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
ImagePath|re: '\String\]\s*\$VerbosePreference'
ImagePath|re: '\\*mdr\*\W\s*\)\.Name'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ImagePath`	regex_match	`\$PSHome\[\s\d{1,3}\s\]\s\+\s\$PSHome\[` `\$ShellId\[\s\d{1,3}\s\]\s\+\s\$ShellId\[` `\$VerbosePreference\.ToString$` `\$env:ComSpec\[(\s\d{1,3}\s,){2}` `\$env:Public\[\s\d{1,3}\s\]\s\+\s\$env:Public\[` `\String\]\s\$VerbosePreference` `\\mdr\\W\s$\.Name`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Windows Bluetooth Service Installed From Uncommon Location [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Service Created with Suspicious Service Path [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Snake Malware Service Create [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Clop Ransomware Known Service Name [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Driver Load Non-Standard Path [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows KrbRelayUp Service Creation [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Service Create RemComSvc [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Service Create SliverC2 [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Vulnerable Driver Installed [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Malicious Powershell Executed As A Service [splunk] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Randomly Generated Windows Service Name [splunk] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Windows Service Created with Suspicious Service Name [splunk] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use Rundll32 - System [sigma] (adds 6 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System [sigma] (adds 6 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation VAR+ Launcher - System [sigma] (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation COMPRESS OBFUSCATION - System [sigma] (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation RUNDLL LAUNCHER - System [sigma] (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation CLIP+ Launcher - System [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation STDIN+ Launcher - System [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Stdin - System [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use MSHTA - System [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
ProcessHacker Privilege Elevation [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use Clip - System [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Credential Dumping Tools Service Execution - System [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Moriya Rootkit - System [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Scripts Installed as Services [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Service Installed By Unusual Client - System [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Suspicious Service Installation [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Tap Driver Installation [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
RTCore Suspicious Service Installation [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Service Installation in Suspicious Folder [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
CobaltStrike Service Installations - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
smbexec.py Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
KrbRelayUp Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Meterpreter or Cobalt Strike Getsystem Service Installation - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Anydesk Remote Access Software Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
CSExec Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Mesh Agent Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
NetSupport Manager Service Install [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
PAExec Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
New PDQDeploy Service - Server Side [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
New PDQDeploy Service - Client Side [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
RemCom Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Remote Utilities Host Service Install [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Sliver C2 Default Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
PsExec Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
TacticalRMM Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Uncommon Service Installation Image Path [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Service Installation with Suspicious Folder Pattern [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Service Installation Script [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)