Detectionhightest
Invoke-Obfuscation Obfuscated IEX Invocation - System
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Daniel Bohannon ( / ), oscd.communityCreated Fri Nov 08Updated Sun Nov 2751aa9387-1c53-4153-91cc-d73c59ae1ca9windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic2 selectors
detection:
selection_eid:
EventID: 7045
selection_imagepath:
- ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
- ImagePath|re: '\$VerbosePreference\.ToString\('
- ImagePath|re: '\String\]\s*\$VerbosePreference'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
51aa9387-1c53-4153-91cc-d73c59ae1ca9
Status
test
Level
high
Type
Detection
Created
Fri Nov 08
Modified
Sun Nov 27
Path
rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml
Raw Tags
attack.defense-evasionattack.t1027