Home/Sigma rules
Sigma

Sigma detection rules

113 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 113
high
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
status test author Florian Roth (Nextron Systems) id e32d4572-9826-4738-b651-95fa63747e8a
view Sigma YAML 
title: Base64 Encoded PowerShell Command Detected
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
references:
    - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth (Nextron Systems)
date: 2020-01-29
modified: 2023-01-26
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1140
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '::FromBase64String('
    condition: selection
falsepositives:
    - Administrative script libraries
level: high
high
Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
status test author Igor Fits, oscd.community id c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
view Sigma YAML 
title: Binary Padding - Linux
id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
status: test
description: |
    Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
    This rule detect using dd and truncate to add a junk data to file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
author: Igor Fits, oscd.community
date: 2020-10-13
modified: 2023-05-03
tags:
    - attack.stealth
    - attack.t1027.001
logsource:
    product: linux
    service: auditd
detection:
    selection_execve:
        type: 'EXECVE'
    keywords_truncate:
        '|all':
            - 'truncate'
            - '-s'
    keywords_dd:
        '|all':
            - 'dd'
            - 'if='
    keywords_filter:
        - 'of='
    condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
falsepositives:
    - Unknown
level: high
simulation:
    - type: atomic-red-team
      name: Pad Binary to Change Hash - Linux/macOS dd
      technique: T1027.001
      atomic_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
high
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
status test author Igor Fits, Mikhail Larin, oscd.community id 95361ce5-c891-4b0a-87ca-e24607884a96
view Sigma YAML 
title: Binary Padding - MacOS
id: 95361ce5-c891-4b0a-87ca-e24607884a96
status: test
description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
    - https://linux.die.net/man/1/truncate
    - https://linux.die.net/man/1/dd
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2023-02-17
tags:
    - attack.stealth
    - attack.t1027.001
logsource:
    product: macos
    category: process_creation
detection:
    selection_truncate:
        Image|endswith: '/truncate'
        CommandLine|contains: '-s +'
    selection_dd:
        Image|endswith: '/dd'
        CommandLine|contains:
            - 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
            - 'if=/dev/random' # high-quality random data
            - 'if=/dev/urandom' # low-quality random data
    condition: 1 of selection_*
falsepositives:
    - Legitimate script work
level: high
high
Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) id b730a276-6b63-41b8-bcf8-55930c8fc6ee
view Sigma YAML 
title: Csc.EXE Execution Form Potentially Suspicious Parent
id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
status: test
description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
references:
    - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
    - https://reaqta.com/2017/11/short-journey-darkvnc/
    - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-02-11
modified: 2026-03-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
    - attack.t1027.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\csc.exe'
        - OriginalFileName: 'csc.exe'
    selection_parent_generic:
        ParentImage|endswith:
            - '\cscript.exe'
            - '\excel.exe'
            - '\mshta.exe'
            - '\onenote.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\wscript.exe'
    selection_parent_powershell:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        ParentCommandLine|contains:
            - '-Encoded '
            - 'FromBase64String'
    selection_parent_susp_location:
        - ParentCommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
        - ParentCommandLine|contains:
              - ':\PerfLogs\'
              - ':\Users\Public\'
              - ':\Windows\Temp\'
              - '\Temporary Internet'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Pictures\'
    filter_main_programfiles:
        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
        ParentImage|startswith:
            - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
            - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_sdiagnhost:
        ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_w3p:
        ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
    filter_optional_chocolatey:
        ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
    filter_optional_defender:
        ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
    filter_optional_ansible:
        # Note: As ansible is widely used we exclude it with this generic filter.
        # A better option would be to filter based on script content basis or other marker while hunting
        ParentCommandLine|contains:
            # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
            - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
            - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
            - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
    condition: selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
high
File Decoded From Base64/Hex Via Certutil.EXE
Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
status test author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community id cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
view Sigma YAML 
title: File Decoded From Base64/Hex Via Certutil.EXE
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
status: test
description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
    - https://twitter.com/JohnLaTwC/status/835149808817991680
    - https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2023-02-15
modified: 2025-06-04
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash:
            - '-decode ' # Decode Base64
            - '-decodehex ' # Decode Hex
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/info.yml
high
File In Suspicious Location Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
status test author Nasreddine Bencherchali (Nextron Systems) id 82a6714f-4899-4f16-9c1e-9a333544d4c3
view Sigma YAML 
title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE
id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
related:
    - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
      type: derived
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
references:
    - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
    - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
    - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
    - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash: '-encode'
    selection_extension:
        CommandLine|contains:
            # Note: Add more suspicious locations to increase coverage
            - '\AppData\Roaming\'
            - '\Desktop\'
            - '\Local\Temp\'
            - '\PerfLogs\'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - '$Recycle.Bin'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml
high
HackTool - CrackMapExec PowerShell Obfuscation
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
status test author Thomas Patzke id 6f8b3439-a203-45dc-a88b-abf57ea15ccf
view Sigma YAML 
title: HackTool - CrackMapExec PowerShell Obfuscation
id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
status: test
description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
references:
    - https://github.com/byt3bl33d3r/CrackMapExec
    - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
author: Thomas Patzke
date: 2020-05-22
modified: 2023-02-21
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1027.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains:
            - 'join*split'
            # Line 343ff
            - '( $ShellId[1]+$ShellId[13]+''x'')'
            - '( $PSHome[*]+$PSHOME[*]+'
            - '( $env:Public[13]+$env:Public[5]+''x'')'
            - '( $env:ComSpec[4,*,25]-Join'''')'
            - '[1,3]+''x''-Join'''')'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation CLIP+ Launcher
Detects Obfuscated use of Clip.exe to execute PowerShell
status test author Jonathan Cheong, oscd.community id b222df08-0e07-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation CLIP+ Launcher
id: b222df08-0e07-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2022-11-17
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # CommandLine|re: 'cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
        # Example 1: Cmd /c" echo/Invoke-Expression (New-Object Net.WebClient).DownloadString |cLiP&& POWerSheLl -Nolog -sT . (\"{1}{2}{0}\"-f'pe','Ad',(\"{1}{0}\" -f'Ty','d-' ) ) -Assemb ( \"{5}{1}{3}{0}{2}{4}\" -f'ows','y','.F',(\"{0}{1}{2}\" -f'stem.W','i','nd'),( \"{0}{1}\"-f 'o','rms' ),'S' ) ; ([SySTEM.wiNDows.FoRmS.CLiPbOArd]::( \"{1}{0}\" -f (\"{1}{0}\" -f'T','TTeX' ),'gE' ).\"invO`Ke\"( ) ) ^| ^&( \"{5}{1}{2}{4}{3}{0}\" -f 'n',( \"{1}{0}\"-f'KE-','o' ),(\"{2}{1}{0}\"-f 'pRESS','x','e' ),'o','i','iNV') ; [System.Windows.Forms.Clipboard]::(\"{0}{1}\" -f( \"{1}{0}\"-f'e','SetT' ),'xt').\"InV`oKe\"( ' ')"
        # Example 2: CMD/c " ECho Invoke-Expression (New-Object Net.WebClient).DownloadString|c:\WiNDowS\SySteM32\cLip && powershElL -noPRO -sTa ^& (\"{2}{0}{1}\" -f 'dd',(\"{1}{0}\"-f 'ype','-T' ),'A' ) -AssemblyN (\"{0}{3}{2}{1}{4}\"-f'Pr','nCo',(\"{0}{1}\"-f'e','ntatio'),'es','re' ) ; ^& ( ( [StRinG]${ve`RB`OSE`pr`e`FeReNCE} )[1,3] + 'x'-JoiN'') ( ( [sySTem.WInDOWs.ClipbOaRD]::( \"{1}{0}\" -f(\"{0}{1}\" -f'tTe','xt' ),'ge' ).\"IN`Vo`Ke\"( ) ) ) ; [System.Windows.Clipboard]::( \"{2}{1}{0}\" -f't',( \"{0}{1}\" -f 'tT','ex' ),'Se' ).\"In`V`oKe\"( ' ' )"
        CommandLine|contains|all:
            - 'cmd'
            - '&&'
            - 'clipboard]::'
            - '-f'
        CommandLine|contains:
            - '/c'
            - '/r'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation CLIP+ Launcher - PowerShell
Detects Obfuscated use of Clip.exe to execute PowerShell
status test author Jonathan Cheong, oscd.community id 73e67340-0d25-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation CLIP+ Launcher - PowerShell
id: 73e67340-0d25-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
Detects Obfuscated use of Clip.exe to execute PowerShell
status test author Jonathan Cheong, oscd.community id a136cde0-61ad-4a61-9b82-8dc490e60dd2
view Sigma YAML 
title: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
related:
    - id: 73e67340-0d25-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation CLIP+ Launcher - Security
Detects Obfuscated use of Clip.exe to execute PowerShell
status test author Jonathan Cheong, oscd.community id 4edf51e1-cb83-4e1a-bc39-800e396068e3
view Sigma YAML 
title: Invoke-Obfuscation CLIP+ Launcher - Security
id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
related:
    - id: f7385ee2-0e0c-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2022-11-27
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'cmd'
            - '&&'
            - 'clipboard]::'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation CLIP+ Launcher - System
Detects Obfuscated use of Clip.exe to execute PowerShell
status test author Jonathan Cheong, oscd.community id f7385ee2-0e0c-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation CLIP+ Launcher - System
id: f7385ee2-0e0c-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2023-02-20
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'cmd'
            - '&&'
            - 'clipboard]::'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Obfuscated IEX Invocation
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community id 4bf943c6-5146-4273-98dd-e958fd1e3abf
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation
id: 4bf943c6-5146-4273-98dd-e958fd1e3abf
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
date: 2019-11-08
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - CommandLine|re: '\$env:ComSpec\[(?:\s*\d{1,3}\s*,){2}'
        - CommandLine|re: '\*mdr\*\W\s*\)\.Name'
        - CommandLine|re: '\$VerbosePreference\.ToString\('
        - CommandLine|re: '\[String\]\s*\$VerbosePreference'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community id 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
date: 2019-11-08
modified: 2022-12-31
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_iex:
        - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
        - ScriptBlockText|re: '\*mdr\*\W\s*\)\.Name'
        - ScriptBlockText|re: '\$VerbosePreference\.ToString\('
    condition: selection_iex
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community id 2f211361-7dce-442d-b78a-c04039677378
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
id: 2f211361-7dce-442d-b78a-c04039677378
related:
    - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
      type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-12-31
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_payload:
        - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
        - Payload|re: '\*mdr\*\W\s*\)\.Name'
        - Payload|re: '\$VerbosePreference\.ToString\('
        - Payload|re: '\[String\]\s*\$VerbosePreference'
    condition: selection_payload
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Obfuscated IEX Invocation - Security
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community id fd0f5778-d3cb-4c9a-9695-66759d04702a
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation - Security
id: fd0f5778-d3cb-4c9a-9695-66759d04702a
related:
    - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
      type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-11-27
tags:
    - attack.stealth
    - attack.t1027
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection_eid:
        EventID: 4697
    selection_servicefilename:
        - ServiceFileName|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - ServiceFileName|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - ServiceFileName|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - ServiceFileName|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
        - ServiceFileName|re: '\\*mdr\*\W\s*\)\.Name'
        - ServiceFileName|re: '\$VerbosePreference\.ToString\('
        - ServiceFileName|re: '\String\]\s*\$VerbosePreference'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Obfuscated IEX Invocation - System
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community id 51aa9387-1c53-4153-91cc-d73c59ae1ca9
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation - System
id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-11-27
tags:
    - attack.stealth
    - attack.t1027
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        EventID: 7045
    selection_imagepath:
        - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
        - ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
        - ImagePath|re: '\$VerbosePreference\.ToString\('
        - ImagePath|re: '\String\]\s*\$VerbosePreference'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community id 6c96fc76-0eb1-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher
id: 6c96fc76-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
        # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
        CommandLine|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community id 9ac8b09b-45de-4a07-9da1-0de8c09304a3
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
related:
    - id: 779c8c12-0eb1-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher - Powershell
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community id 779c8c12-0eb1-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - Powershell
id: 779c8c12-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher - Security
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community id 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - Security
id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
related:
    - id: 72862bf2-0eb1-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'cmd'
            - 'powershell'
    selection2:
        ServiceFileName|contains:
            - '${input}'
            - 'noexit'
    selection3:
        ServiceFileName|contains:
            - ' /c '
            - ' /r '
    condition: all of selection*
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher - System
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community id 72862bf2-0eb1-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - System
id: 72862bf2-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection_main:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: 'cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
        # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
        # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
        ImagePath|contains|all:
            - 'cmd'
            - 'powershell'
        ImagePath|contains:
            - '/c'
            - '/r'
    selection_other:
        - ImagePath|contains: 'noexit'
        - ImagePath|contains|all:
              - 'input'
              - '$'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 27aec9c9-dbb0-4939-8422-1742242471d0
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher
id: 27aec9c9-dbb0-4939-8422-1742242471d0
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        CommandLine|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 0adfbc14-0ed1-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - PowerShell
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - PowerShell Module
id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
related:
    - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - Security
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id dcf2db1f-f091-425b-a821-c05875b8925a
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - Security
id: dcf2db1f-f091-425b-a821-c05875b8925a
related:
    - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
      type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        # ServiceFileName|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        ServiceFileName|contains|all:
            - 'cmd'
            - '"set'
            - '-f'
        ServiceFileName|contains:
            - '/c'
            - '/r'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - System
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 8ca7004b-e620-4ecb-870e-86129b5b8e75
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - System
id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        ImagePath|contains|all:
            - 'cmd'
            - '"set'
            - '-f'
        ImagePath|contains:
            - '/c'
            - '/r'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id e9f55347-2928-4c06-88e5-1a7f8169942e
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
id: e9f55347-2928-4c06-88e5-1a7f8169942e
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # CommandLine|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        CommandLine|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        CommandLine|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id e54f5149-6ba3-49cf-b153-070d24679126
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
id: e54f5149-6ba3-49cf-b153-070d24679126
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
related:
    - id: e54f5149-6ba3-49cf-b153-070d24679126
      type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
related:
    - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
      type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        # ServiceFileName|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        ServiceFileName|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        ServiceFileName|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        ImagePath|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        ImagePath|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 9c14c9fa-1a63-4a64-8e57-d19280559490
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin
id: 9c14c9fa-1a63-4a64-8e57-d19280559490
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|re: '(?i)(?:set).*&&\s?set.*(?:environment|invoke|\$\{?input).*&&.*"'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - PowerShell Module
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id c72aca44-8d52-45ad-8f81-f96c4d3c755e
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - PowerShell Module
id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
related:
    - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
      type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - Powershell
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - Powershell
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - Security
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - Security
id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
related:
    - id: 487c7524-f892-4054-b263-8a0ace63fc25
      type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'set'
            - '&&'
        ServiceFileName|contains:
            - 'environment'
            - 'invoke'
            - '${input)'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - System
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 487c7524-f892-4054-b263-8a0ace63fc25
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - System
id: 487c7524-f892-4054-b263-8a0ace63fc25
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: '(?i)(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
        ImagePath|contains|all:
            - 'set'
            - '&&'
        ImagePath|contains:
            - 'environment'
            - 'invoke'
            - 'input'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id e1561947-b4e3-4a74-9bdd-83baed21bdb5
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip
id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: C:\WINdoWS\sySteM32\CMd /c " ECho\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\WINdoWS\sySteM32\CMd /c pOWerSheLl -STa . ( \"{2}{0}{1}\"-f'dd-',(\"{0}{1}\" -f 'T','ype' ),'A' ) -Assembly ( \"{4}{1}{3}{0}{2}\"-f (\"{0}{1}\" -f 'nd','ow'),( \"{1}{0}\"-f'.W','stem' ),( \"{2}{1}{0}\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\"INV`oKECOM`m`ANd\".\"INV`ok`ESCriPT\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \"{2}{0}{1}\" -f'Ex','t',(\"{0}{1}\" -f'Get','t' ) ).\"iNvo`Ke\"( )) ) ; [System.Windows.Forms.Clipboard]::(\"{1}{0}\" -f 'ar','Cle' ).\"in`V`oKE\"( )"
        # Example 2: C:\WINDowS\sYsTEM32\CmD.eXE /C" echo\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\WIndOWs\SYSteM32\CLip &&C:\WINDowS\sYsTEM32\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \"{0}{3}{4}{1}{2}\" -f( \"{0}{1}\"-f'Lo','adW' ),( \"{0}{1}\"-f 'Par','t'),( \"{0}{1}{2}\"-f 'ial','N','ame'),'it','h' ).\"in`VO`KE\"( ( \"{3}{1}{4}{5}{2}{0}\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \"{1}{0}\"-f'T',( \"{1}{0}\" -f'tEX','gET' )).\"i`Nvoke\"( ) ) ^^^| ^^^& ( ( ^^^& ( \"{2}{1}{0}\"-f 'e',( \"{2}{1}{0}\"-f'IABl','aR','v' ),( \"{0}{1}\"-f'Get','-' ) ) ( \"{1}{0}\"-f'*','*MDr' )).\"n`Ame\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \"{0}{1}\" -f (\"{1}{0}\"-f'tT','Se' ),'ext').\"in`VoKe\"(' ' )"
        CommandLine|re: '(?i)echo.*clip.*&&.*(?:Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - PowerShell Module
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - PowerShell Module
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
related:
    - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
      type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - Powershell
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id db92dd33-a3ad-49cf-8c2c-608c3e30ace0
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - Powershell
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - Security
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - Security
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
related:
    - id: 63e3365d-4824-42d8-8b82-e56810fefa0c
      type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: '(Clipboard|i'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - System
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id 63e3365d-4824-42d8-8b82-e56810fefa0c
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - System
id: 63e3365d-4824-42d8-8b82-e56810fefa0c
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains: '(Clipboard|i'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use MSHTA
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community id ac20ae82-8758-4f38-958e-b44a3140ca88
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA
id: ac20ae82-8758-4f38-958e-b44a3140ca88
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009   # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-03-08
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use MSHTA - PowerShell
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community id e55a5195-4724-480e-a77e-3ebe64bd3759
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - PowerShell
id: e55a5195-4724-480e-a77e-3ebe64bd3759
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community id 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - PowerShell Module
id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
related:
    - id: e55a5195-4724-480e-a77e-3ebe64bd3759
      type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2023-01-04
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        Payload|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use MSHTA - Security
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community id 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - Security
id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
related:
    - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
      type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - 'window.close'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use MSHTA - System
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community id 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - System
id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'mshta'
            - 'vbscript:createobject'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Rundll32 - PowerShell
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community id a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell
id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ScriptBlockText|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community id 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
related:
    - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
      type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        Payload|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Rundll32 - Security
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community id cd0f7229-d16f-42de-8fe3-fba365fbcb3a
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - Security
id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
related:
    - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
      type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ServiceFileName|contains:
            - value
            - invoke
            - comspec
            - iex
    condition: selection
falsepositives:
    - Unknown
level: high
Showing 1-50 of 113
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin