Sigma rules for CVE-2010-0249
202 rules · scoped to cve · back to CVE-2010-0249
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Invoke-Obfuscation Via Use Clip
id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Example 1: C:\WINdoWS\sySteM32\CMd /c " ECho\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\WINdoWS\sySteM32\CMd /c pOWerSheLl -STa . ( \"{2}{0}{1}\"-f'dd-',(\"{0}{1}\" -f 'T','ype' ),'A' ) -Assembly ( \"{4}{1}{3}{0}{2}\"-f (\"{0}{1}\" -f 'nd','ow'),( \"{1}{0}\"-f'.W','stem' ),( \"{2}{1}{0}\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\"INV`oKECOM`m`ANd\".\"INV`ok`ESCriPT\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \"{2}{0}{1}\" -f'Ex','t',(\"{0}{1}\" -f'Get','t' ) ).\"iNvo`Ke\"( )) ) ; [System.Windows.Forms.Clipboard]::(\"{1}{0}\" -f 'ar','Cle' ).\"in`V`oKE\"( )"
# Example 2: C:\WINDowS\sYsTEM32\CmD.eXE /C" echo\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\WIndOWs\SYSteM32\CLip &&C:\WINDowS\sYsTEM32\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \"{0}{3}{4}{1}{2}\" -f( \"{0}{1}\"-f'Lo','adW' ),( \"{0}{1}\"-f 'Par','t'),( \"{0}{1}{2}\"-f 'ial','N','ame'),'it','h' ).\"in`VO`KE\"( ( \"{3}{1}{4}{5}{2}{0}\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \"{1}{0}\"-f'T',( \"{1}{0}\" -f'tEX','gET' )).\"i`Nvoke\"( ) ) ^^^| ^^^& ( ( ^^^& ( \"{2}{1}{0}\"-f 'e',( \"{2}{1}{0}\"-f'IABl','aR','v' ),( \"{0}{1}\"-f'Get','-' ) ) ( \"{1}{0}\"-f'*','*MDr' )).\"n`Ame\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \"{0}{1}\" -f (\"{1}{0}\"-f'tT','Se' ),'ext').\"in`VoKe\"(' ' )"
CommandLine|re: '(?i)echo.*clip.*&&.*(?:Clipboard|i`?n`?v`?o`?k`?e`?)'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
related:
- id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
type: similar
status: test
description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0
author: pH-T (Nextron Systems)
date: 2022-03-01
modified: 2023-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# ::("L"+"oad")
- 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
- 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
- '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
# ::("Lo"+"ad")
- 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
- 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
- '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
# ::("Loa"+"d")
- 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
- 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
- '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
# ::('L'+'oad')
- 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
- 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
- '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
# ::('Lo'+'ad')
- 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
- 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
- '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
# ::('Loa'+'d')
- 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
- 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
- '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'
condition: selection
falsepositives:
- Unlikely
level: high