Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

Powershell Token Obfuscation - Powershell

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation in Powershell scripts. Use this rule as a threat-hunting baseline to find obfuscated scripts in your environment. Once tested and tuned, consider deploying a production detection rule based on this hunting rule.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Tue Dec 27Updated Sun Oct 19f3a98ce4-6164-4dd4-867c-4d83de7eca51windows
Hunting Hypothesis
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic4 selectors
detection:
    selection:
        # Examples:
        #   IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
        #   &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
        #   &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
        - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
        # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
        - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f'  # trigger on at least two placeholders. One might be used for legitimate string formatting
        #   ${e`Nv:pATh}
        - ScriptBlockText|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
    filter_envpath:
        ScriptBlockText|contains: '${env:path}' # TODO: Fix this. See https://github.com/SigmaHQ/sigma/pull/4964
    filter_chocolatey:
        ScriptBlockText|contains:
            - 'it will return true or false instead'  # Chocolatey install script https://github.com/chocolatey/chocolatey
            - 'The function also prevents `Get-ItemProperty` from failing' # https://docs.chocolatey.org/en-us/create/functions/get-uninstallregistrykey
    filter_exchange:
        Path|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
        Path|endswith: '\bin\servicecontrol.ps1'
        ScriptBlockText|contains: '`r`n'
    condition: selection and not 1 of filter_*
False Positives

Edge case might be possible with heavy use of string formatting or obfuscation in legitimate scripts.

References
1
Resolving title…
github.com
MITRE ATT&CK

Other

detection.threat-hunting
Related Rules
SimilarDetectionhigh

Powershell Token Obfuscation - Process Creation

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
f3a98ce4-6164-4dd4-867c-4d83de7eca51
Status
test
Level
medium
Type
Threat Hunt
Created
Tue Dec 27
Modified
Sun Oct 19
Author
François Hubaut
Path
rules-threat-hunting/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
Raw Tags
attack.defense-evasionattack.t1027.009detection.threat-hunting
View on GitHub