Detectionhightest
Powershell Token Obfuscation - Process Creation
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection:
# Examples:
# IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
# &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
# &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
- CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]'
# - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
- CommandLine|re: '"(\{\d\})+"\s*-f'
# ${e`Nv:pATh}
- CommandLine|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
filter_main_envpath:
CommandLine|contains: '${env:path}'
condition: selection and not 1 of filter_main_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
deb9b646-a508-44ee-b7c9-d8965921c6b6
Status
test
Level
high
Type
Detection
Created
Tue Dec 27
Modified
Sun Aug 11
Author
Path
rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml
Raw Tags
attack.defense-evasionattack.t1027.009