Detectionhightest
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Daniel Bohannon ( / ), oscd.communityCreated Fri Nov 08Updated Sat Dec 312f211361-7dce-442d-b78a-c04039677378windows
Log Source
WindowsPowerShell Module
ProductWindows← raw: windows
CategoryPowerShell Module← raw: ps_module
Definition
0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
Detection Logic
Detection Logic1 selector
detection:
selection_payload:
- Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- Payload|re: '\*mdr\*\W\s*\)\.Name'
- Payload|re: '\$VerbosePreference\.ToString\('
- Payload|re: '\[String\]\s*\$VerbosePreference'
condition: selection_payloadFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Techniques
Sub-techniques
Rule Metadata
Rule ID
2f211361-7dce-442d-b78a-c04039677378
Status
test
Level
high
Type
Detection
Created
Fri Nov 08
Modified
Sat Dec 31
Path
rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml
Raw Tags
attack.defense-evasionattack.t1027attack.executionattack.t1059.001