Detectionhightest
Invoke-Obfuscation Obfuscated IEX Invocation - Security
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Daniel Bohannon ( / ), oscd.communityCreated Fri Nov 08Updated Sun Nov 27fd0f5778-d3cb-4c9a-9695-66759d04702awindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Definition
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
Detection Logic
Detection Logic2 selectors
detection:
selection_eid:
EventID: 4697
selection_servicefilename:
- ServiceFileName|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ServiceFileName|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ServiceFileName|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ServiceFileName|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ServiceFileName|re: '\\*mdr\*\W\s*\)\.Name'
- ServiceFileName|re: '\$VerbosePreference\.ToString\('
- ServiceFileName|re: '\String\]\s*\$VerbosePreference'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
fd0f5778-d3cb-4c9a-9695-66759d04702a
Status
test
Level
high
Type
Detection
Created
Fri Nov 08
Modified
Sun Nov 27
Path
rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml
Raw Tags
attack.defense-evasionattack.t1027