Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Timur Zinniatullin, oscd.communityCreated Sun Oct 18Updated Tue Nov 297a922f1b-2635-4d6c-91ef-af228b198ad3windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
            - 'readtoend'
        ServiceFileName|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

Invoke-Obfuscation COMPRESS OBFUSCATION - System

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
7a922f1b-2635-4d6c-91ef-af228b198ad3
Status
test
Level
medium
Type
Detection
Created
Sun Oct 18
Modified
Tue Nov 29
Author
Timur Zinniatullin, oscd.community
Path
rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml
Raw Tags
attack.defense-evasionattack.t1027attack.executionattack.t1059.001
View on GitHub