Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Invoke-Obfuscation Obfuscated IEX Invocation

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Daniel Bohannon ( / ), oscd.communityCreated Fri Nov 08Updated Sat Dec 314bf943c6-5146-4273-98dd-e958fd1e3abfwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        - CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - CommandLine|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
        - CommandLine|re: '\*mdr\*\W\s*\)\.Name'
        - CommandLine|re: '\$VerbosePreference\.ToString\('
        - CommandLine|re: '\[String\]\s*\$VerbosePreference'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
4bf943c6-5146-4273-98dd-e958fd1e3abf
Status
test
Level
high
Type
Detection
Created
Fri Nov 08
Modified
Sat Dec 31
Author
Daniel Bohannon ( / ), oscd.community
Path
rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml
Raw Tags
attack.defense-evasionattack.t1027attack.executionattack.t1059.001
View on GitHub