Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Timur Zinniatullin, oscd.communityCreated Sun Oct 18Updated Tue Nov 297034cbbb-cc55-4dc2-8dad-36c0b942e8f1windows
Log Source
WindowsPowerShell Module
ProductWindows← raw: windows
CategoryPowerShell Module← raw: ps_module

Definition

0ad03ef1-f21b-4a79-8ce8-e6900c54b65b

Detection Logic
Detection Logic1 selector
detection:
    selection_4103:
        Payload|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
        Payload|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
        Payload|endswith: 'readtoend'
    condition: selection_4103
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
Status
test
Level
medium
Type
Detection
Created
Sun Oct 18
Modified
Tue Nov 29
Author
Timur Zinniatullin, oscd.community
Path
rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml
Raw Tags
attack.defense-evasionattack.t1027attack.executionattack.t1059.001
View on GitHub