Home/Sigma rules
Sigma

Sigma detection rules

179 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 179
critical
Bad Opsec Powershell Code Artifacts
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
status test author ok @securonix invrep_de, oscd.community id 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
view Sigma YAML 
title: Bad Opsec Powershell Code Artifacts
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
related:
    - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
      type: derived
status: test
description: |
    focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
    Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
    that often undergo minimal changes by attackers due to bad opsec.
references:
    - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
    - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
    - https://www.mdeditor.tw/pl/pgRt
author: 'ok @securonix invrep_de, oscd.community'
date: 2020-10-09
modified: 2022-12-25
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains:
            - '$DoIt'
            - 'harmj0y'
            - 'mattifestation'
            - '_RastaMouse'
            - 'tifkin_'
            - '0xdeadbeef'
    condition: selection_4103
falsepositives:
    - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
level: critical
critical
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
status test author Alina Stepchenkova, Group-IB, oscd.community id 3ceb2083-a27f-449a-be33-14ec1b7cc973
view Sigma YAML 
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
description: Detects Silence EmpireDNSAgent as described in the Group-IP report
references:
    - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019-11-01
modified: 2023-04-03
tags:
    - attack.execution
    - attack.t1059.001
    - attack.command-and-control
    - attack.t1071.004
    - attack.t1572
    - attack.impact
    - attack.t1529
    - attack.g0091
    - attack.s0363
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    empire:
        # better to randomise the order
        ScriptBlockText|contains|all:
            - 'System.Diagnostics.Process'
            - 'Stop-Computer'
            - 'Restart-Computer'
            - 'Exception in execution'
            - '$cmdargs'
            - 'Close-Dnscat2Tunnel'
    dnscat:
        # better to randomise the order
        ScriptBlockText|contains|all:
            - 'set type=$LookupType`nserver'
            - '$Command | nslookup 2>&1 | Out-String'
            - 'New-RandomDNSField'
            - '[Convert]::ToString($SYNOptions, 16)'
            - '$Session.Dead = $True'
            - '$Session["Driver"] -eq'
    condition: empire and dnscat
falsepositives:
    - Unknown
level: critical
high
AWS EC2 Startup Shell Script Change
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
status test author faloker id 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
view Sigma YAML 
title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: test
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
author: faloker
date: 2020-02-12
modified: 2022-06-07
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: ec2.amazonaws.com
        requestParameters.attribute: 'userData'
        eventName: ModifyInstanceAttribute
    condition: selection_source
falsepositives:
    - Valid changes to the startup script
level: high
high
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
status test author Florian Roth (Nextron Systems) id e32d4572-9826-4738-b651-95fa63747e8a
view Sigma YAML 
title: Base64 Encoded PowerShell Command Detected
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
references:
    - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth (Nextron Systems)
date: 2020-01-29
modified: 2023-01-26
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1140
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '::FromBase64String('
    condition: selection
falsepositives:
    - Administrative script libraries
level: high
high
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
status test author C.J. May id 02773bed-83bf-469f-b7ff-e676e7d78bab
view Sigma YAML 
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
    - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - 'BloodHound.zip'
            - '_computers.json'
            - '_containers.json'
            # - '_domains.json'  # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
            - '_gpos.json'
            - '_groups.json'
            - '_ous.json'
            - '_users.json'
    filter_optional_ms_winapps:
        Image|endswith: '\svchost.exe'
        TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
        TargetFilename|endswith: '\pocket_containers.json'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high
high
Cmd.EXE Missing Space Characters Execution Anomaly
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).
status test author Florian Roth (Nextron Systems) id a16980c2-0c56-4de0-9a79-17971979efdd
view Sigma YAML 
title: Cmd.EXE Missing Space Characters Execution Anomaly
id: a16980c2-0c56-4de0-9a79-17971979efdd
status: test
description: |
    Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
    This could be a sign of obfuscation of a fat finger problem (typo by the developer).
references:
    - https://twitter.com/cyb3rops/status/1562072617552678912
    - https://ss64.com/nt/cmd.html
author: Florian Roth (Nextron Systems)
date: 2022-08-23
modified: 2023-03-06
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection1:  # missing space before the /c
        CommandLine|contains:
            - 'cmd.exe/c'
            - '\cmd/c'  # just cmd/c would be prone to false positives
            - '"cmd/c'
            - 'cmd.exe/k'
            - '\cmd/k'  # just cmd/k would be prone to false positives
            - '"cmd/k'
            - 'cmd.exe/r'
            - '\cmd/r'  # just cmd/r would be prone to false positives
            - '"cmd/r'
    selection2: # special cases verified via Virustotal Enterprise search
        CommandLine|contains:
            - '/cwhoami'
            - '/cpowershell'
            - '/cschtasks'
            - '/cbitsadmin'
            - '/ccertutil'
            - '/kwhoami'
            - '/kpowershell'
            - '/kschtasks'
            - '/kbitsadmin'
            - '/kcertutil'
    selection3:  # missing space after the /c
        CommandLine|contains:
            - 'cmd.exe /c'
            - 'cmd /c'
            - 'cmd.exe /k'
            - 'cmd /k'
            - 'cmd.exe /r'
            - 'cmd /r'
    filter_generic:
        CommandLine|contains:
            - 'cmd.exe /c '
            - 'cmd /c '
            - 'cmd.exe /k '
            - 'cmd /k '
            - 'cmd.exe /r '
            - 'cmd /r '
    filter_fp:
        - CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
        - CommandLine|endswith: 'cmd.exe/c .'
        - CommandLine: 'cmd.exe /c'
    condition: 1 of selection* and not 1 of filter_*
falsepositives:
    - Unknown
level: high
high
DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
status test author Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri id 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
view Sigma YAML 
title: DSInternals Suspicious PowerShell Cmdlets
id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
related:
    - id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
      type: similar
status: test
description: |
    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
date: 2024-06-26
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Add-ADDBSidHistory'
            - 'Add-ADNgcKey'
            - 'Add-ADReplNgcKey'
            - 'ConvertFrom-ADManagedPasswordBlob'
            - 'ConvertFrom-GPPrefPassword'
            - 'ConvertFrom-ManagedPasswordBlob'
            - 'ConvertFrom-UnattendXmlPassword'
            - 'ConvertFrom-UnicodePassword'
            - 'ConvertTo-AADHash'
            - 'ConvertTo-GPPrefPassword'
            - 'ConvertTo-KerberosKey'
            - 'ConvertTo-LMHash'
            - 'ConvertTo-MsoPasswordHash'
            - 'ConvertTo-NTHash'
            - 'ConvertTo-OrgIdHash'
            - 'ConvertTo-UnicodePassword'
            - 'Disable-ADDBAccount'
            - 'Enable-ADDBAccount'
            - 'Get-ADDBAccount'
            - 'Get-ADDBBackupKey'
            - 'Get-ADDBDomainController'
            - 'Get-ADDBGroupManagedServiceAccount'
            - 'Get-ADDBKdsRootKey'
            - 'Get-ADDBSchemaAttribute'
            - 'Get-ADDBServiceAccount'
            - 'Get-ADDefaultPasswordPolicy'
            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
            - 'Get-ADPasswordPolicy'
            - 'Get-ADReplAccount'
            - 'Get-ADReplBackupKey'
            - 'Get-ADReplicationAccount'
            - 'Get-ADSIAccount'
            - 'Get-AzureADUserEx'
            - 'Get-BootKey'
            - 'Get-KeyCredential'
            - 'Get-LsaBackupKey'
            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
            - 'Get-SamPasswordPolicy'
            - 'Get-SysKey'
            - 'Get-SystemKey'
            - 'New-ADDBRestoreFromMediaScript'
            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
            - 'New-ADNgcKey'
            - 'New-NTHashSet'
            - 'Remove-ADDBObject'
            - 'Save-DPAPIBlob'
            - 'Set-ADAccountPasswordHash'
            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
            - 'Set-ADDBBootKey'
            - 'Set-ADDBDomainController'
            - 'Set-ADDBPrimaryGroup'
            - 'Set-ADDBSysKey'
            - 'Set-AzureADUserEx'
            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
            - 'Set-SamAccountPasswordHash'
            - 'Set-WinUserPasswordHash'
            - 'Test-ADDBPasswordQuality'
            - 'Test-ADPasswordQuality'
            - 'Test-ADReplPasswordQuality'
            - 'Test-PasswordQuality'
            - 'Unlock-ADDBAccount'
            - 'Write-ADNgcKey'
            - 'Write-ADReplNgcKey'
    condition: selection
falsepositives:
    - Legitimate usage of DSInternals for administration or audit purpose.
level: high
high
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
status test author Nasreddine Bencherchali (Nextron Systems) id 846c7a87-8e14-4569-9d49-ecfd4276a01c
view Sigma YAML 
title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
related:
    - id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
      type: similar
status: test
description: |
    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Add-ADDBSidHistory'
            - 'Add-ADNgcKey'
            - 'Add-ADReplNgcKey'
            - 'ConvertFrom-ADManagedPasswordBlob'
            - 'ConvertFrom-GPPrefPassword'
            - 'ConvertFrom-ManagedPasswordBlob'
            - 'ConvertFrom-UnattendXmlPassword'
            - 'ConvertFrom-UnicodePassword'
            - 'ConvertTo-AADHash'
            - 'ConvertTo-GPPrefPassword'
            - 'ConvertTo-KerberosKey'
            - 'ConvertTo-LMHash'
            - 'ConvertTo-MsoPasswordHash'
            - 'ConvertTo-NTHash'
            - 'ConvertTo-OrgIdHash'
            - 'ConvertTo-UnicodePassword'
            - 'Disable-ADDBAccount'
            - 'Enable-ADDBAccount'
            - 'Get-ADDBAccount'
            - 'Get-ADDBBackupKey'
            - 'Get-ADDBDomainController'
            - 'Get-ADDBGroupManagedServiceAccount'
            - 'Get-ADDBKdsRootKey'
            - 'Get-ADDBSchemaAttribute'
            - 'Get-ADDBServiceAccount'
            - 'Get-ADDefaultPasswordPolicy'
            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
            - 'Get-ADPasswordPolicy'
            - 'Get-ADReplAccount'
            - 'Get-ADReplBackupKey'
            - 'Get-ADReplicationAccount'
            - 'Get-ADSIAccount'
            - 'Get-AzureADUserEx'
            - 'Get-BootKey'
            - 'Get-KeyCredential'
            - 'Get-LsaBackupKey'
            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
            - 'Get-SamPasswordPolicy'
            - 'Get-SysKey'
            - 'Get-SystemKey'
            - 'New-ADDBRestoreFromMediaScript'
            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
            - 'New-ADNgcKey'
            - 'New-NTHashSet'
            - 'Remove-ADDBObject'
            - 'Save-DPAPIBlob'
            - 'Set-ADAccountPasswordHash'
            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
            - 'Set-ADDBBootKey'
            - 'Set-ADDBDomainController'
            - 'Set-ADDBPrimaryGroup'
            - 'Set-ADDBSysKey'
            - 'Set-AzureADUserEx'
            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
            - 'Set-SamAccountPasswordHash'
            - 'Set-WinUserPasswordHash'
            - 'Test-ADDBPasswordQuality'
            - 'Test-ADPasswordQuality'
            - 'Test-ADReplPasswordQuality'
            - 'Test-PasswordQuality'
            - 'Unlock-ADDBAccount'
            - 'Write-ADNgcKey'
            - 'Write-ADReplNgcKey'
    condition: selection
falsepositives:
    - Legitimate usage of DSInternals for administration or audit purpose.
level: high
high
Exchange PowerShell Snap-Ins Usage
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
status test author FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) id 25676e10-2121-446e-80a4-71ff8506af47
view Sigma YAML 
title: Exchange PowerShell Snap-Ins Usage
id: 25676e10-2121-446e-80a4-71ff8506af47
status: test
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
references:
    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
    - https://www.intrinsec.com/apt27-analysis/
author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-03-24
tags:
    - attack.execution
    - attack.t1059.001
    - attack.collection
    - attack.t1114
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains: 'Add-PSSnapin'
    selection_module:
        CommandLine|contains:
            - 'Microsoft.Exchange.Powershell.Snapin'
            - 'Microsoft.Exchange.Management.PowerShell.SnapIn'
    filter_msiexec:
        # ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000
        ParentImage: 'C:\Windows\System32\msiexec.exe'
        CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: high
high
Execution of Powershell Script in Public Folder
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
status test author Max Altgelt (Nextron Systems) id fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
view Sigma YAML 
title: Execution of Powershell Script in Public Folder
id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
status: test
description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
references:
    - https://www.mandiant.com/resources/evolution-of-fin7
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
modified: 2022-07-14
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - '-f C:\Users\Public'
            - '-f "C:\Users\Public'
            - '-f %Public%'
            - '-fi C:\Users\Public'
            - '-fi "C:\Users\Public'
            - '-fi %Public%'
            - '-fil C:\Users\Public'
            - '-fil "C:\Users\Public'
            - '-fil %Public%'
            - '-file C:\Users\Public'
            - '-file "C:\Users\Public'
            - '-file %Public%'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
HTML Help HH.EXE Suspicious Child Process
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
status test author Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) id 52cad028-0ff0-4854-8f67-d25dfcbc78b4
view Sigma YAML 
title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
    - attack.execution
    - attack.initial-access
    - attack.stealth
    - attack.t1047
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218
    - attack.t1218.001
    - attack.t1218.010
    - attack.t1218.011
    - attack.t1566
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith:
            - '\CertReq.exe'
            - '\CertUtil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\installutil.exe'
            - '\MSbuild.exe'
            - '\MSHTA.EXE'
            - '\msiexec.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
HackTool - Bloodhound/Sharphound Execution
Detects command line parameters used by Bloodhound and Sharphound hack tools
status test author Florian Roth (Nextron Systems) id f376c8a7-a2d0-4ddc-aa0c-16c17236d962
view Sigma YAML 
title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
    - https://github.com/BloodHoundAD/BloodHound
    - https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Product|contains: 'SharpHound'
        - Description|contains: 'SharpHound'
        - Company|contains:
              - 'SpecterOps'
              - 'evil corp'
        - Image|contains:
              - '\Bloodhound.exe'
              - '\SharpHound.exe'
    selection_cli_1:
        CommandLine|contains:
            - ' -CollectionMethod All '
            - ' --CollectionMethods Session '
            - ' --Loop --Loopduration '
            - ' --PortScanTimeout '
            - '.exe -c All -d '
            - 'Invoke-Bloodhound'
            - 'Get-BloodHoundData'
    selection_cli_2:
        CommandLine|contains|all:
            - ' -JsonFolder '
            - ' -ZipFileName '
    selection_cli_3:
        CommandLine|contains|all:
            - ' DCOnly '
            - ' --NoSaveCache '
    condition: 1 of selection_*
falsepositives:
    - Other programs that use these command line option and accepts an 'All' parameter
level: high
high
HackTool - Covenant PowerShell Launcher
Detects suspicious command lines used in Covenant luanchers
status test author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community id c260b6db-48ba-4b4a-a76f-2f67644e99d2
view Sigma YAML 
title: HackTool - Covenant PowerShell Launcher
id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
status: test
description: Detects suspicious command lines used in Covenant luanchers
references:
    - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2020-06-04
modified: 2023-02-21
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains|all:
            - '-Sta'
            - '-Nop'
            - '-Window'
            - 'Hidden'
        CommandLine|contains:
            - '-Command'
            - '-EncodedCommand'
    selection_2:
        CommandLine|contains:
            - 'sv o (New-Object IO.MemorySteam);sv d '
            - 'mshta file.hta'
            - 'GruntHTTP'
            - '-EncodedCommand cwB2ACAAbwAgA'
    condition: 1 of selection_*
level: high
high
HackTool - CrackMapExec Execution
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
status test author Florian Roth (Nextron Systems) id 42a993dd-bb3e-48c8-b372-4d6684c4106c
view Sigma YAML 
title: HackTool - CrackMapExec Execution
id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
status: test
description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
references:
    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
    - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
    - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-03-08
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.credential-access
    - attack.discovery
    - attack.t1047
    - attack.t1053
    - attack.t1059.003
    - attack.t1059.001
    - attack.t1110
    - attack.t1201
logsource:
    category: process_creation
    product: windows
detection:
    selection_binary:
        Image|endswith: '\crackmapexec.exe'
    selection_special:
        CommandLine|contains: ' -M pe_inject '
    selection_execute:
        CommandLine|contains|all:
            - ' --local-auth'
            - ' -u '
            - ' -x '
    selection_hash:
        CommandLine|contains|all:
            - ' --local-auth'
            - ' -u '
            - ' -p '
            - " -H 'NTHASH'"
    selection_module_mssql:
        CommandLine|contains|all:
            - ' mssql '
            - ' -u '
            - ' -p '
            - ' -M '
            - ' -d '
    selection_module_smb1:
        CommandLine|contains|all:
            - ' smb '
            - ' -u '
            - ' -H '
            - ' -M '
            - ' -o '
    selection_module_smb2:
        CommandLine|contains|all:
            - ' smb '
            - ' -u '
            - ' -p '
            - ' --local-auth'
    part_localauth_1:
        CommandLine|contains|all:
            - ' --local-auth'
            - ' -u '
            - ' -p '
    part_localauth_2:
        CommandLine|contains|all:
            - ' 10.'
            - ' 192.168.'
            - '/24 '
    condition: 1 of selection_* or all of part_localauth*
falsepositives:
    - Unknown
level: high
high
HackTool - CrackMapExec Execution Patterns
Detects various execution patterns of the CrackMapExec pentesting framework
status stable author Thomas Patzke id 058f4380-962d-40a5-afce-50207d36d7e2
view Sigma YAML 
title: HackTool - CrackMapExec Execution Patterns
id: 058f4380-962d-40a5-afce-50207d36d7e2
status: stable
description: Detects various execution patterns of the CrackMapExec pentesting framework
references:
    - https://github.com/byt3bl33d3r/CrackMapExec
author: Thomas Patzke
date: 2020-05-22
modified: 2023-11-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1047
    - attack.t1053
    - attack.t1059.003
    - attack.t1059.001
    - attack.s0106
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
            - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
            # cme/protocols/smb/atexec.py:109 (fileless output via share)
            - 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
            # cme/protocols/smb/atexec.py:111 (fileless output via share)
            - 'cmd.exe /C * > *\\Temp\\* 2>&1'
            # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L136 (PowerShell execution with obfuscation)
            - 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
            # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L160 (PowerShell execution without obfuscation)
            - 'powershell.exe -noni -nop -w 1 -enc '
    condition: selection
falsepositives:
    - Unknown
level: high
high
HackTool - CrackMapExec PowerShell Obfuscation
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
status test author Thomas Patzke id 6f8b3439-a203-45dc-a88b-abf57ea15ccf
view Sigma YAML 
title: HackTool - CrackMapExec PowerShell Obfuscation
id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
status: test
description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
references:
    - https://github.com/byt3bl33d3r/CrackMapExec
    - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
author: Thomas Patzke
date: 2020-05-22
modified: 2023-02-21
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1027.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains:
            - 'join*split'
            # Line 343ff
            - '( $ShellId[1]+$ShellId[13]+''x'')'
            - '( $PSHome[*]+$PSHOME[*]+'
            - '( $env:Public[13]+$env:Public[5]+''x'')'
            - '( $env:ComSpec[4,*,25]-Join'''')'
            - '[1,3]+''x''-Join'''')'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
HackTool - Default PowerSploit/Empire Scheduled Task Creation
Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
status test author Markus Neis, @Karneades id 56c217c3-2de2-479b-990f-5c109ba8458f
view Sigma YAML 
title: HackTool - Default PowerSploit/Empire Scheduled Task Creation
id: 56c217c3-2de2-479b-990f-5c109ba8458f
status: test
description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
references:
    - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py
author: Markus Neis, @Karneades
date: 2018-03-06
modified: 2023-03-03
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.s0111
    - attack.g0022
    - attack.g0060
    - car.2013-08-001
    - attack.t1053.005
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - '/Create'
            - 'powershell.exe -NonI'
            - '/TN Updater /TR'
        CommandLine|contains:
            - '/SC ONLOGON'
            - '/SC DAILY /ST'
            - '/SC ONIDLE'
            - '/SC HOURLY'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
HackTool - Empire PowerShell Launch Parameters
Detects suspicious powershell command line parameters used in Empire
status test author Florian Roth (Nextron Systems) id 79f4ede3-402e-41c8-bc3e-ebbf5f162581
view Sigma YAML 
title: HackTool - Empire PowerShell Launch Parameters
id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581
status: test
description: Detects suspicious powershell command line parameters used in Empire
references:
    - https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
author: Florian Roth (Nextron Systems)
date: 2019-04-20
modified: 2023-02-21
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' -NoP -sta -NonI -W Hidden -Enc '
            - ' -noP -sta -w 1 -enc '
            - ' -NoP -NonI -W Hidden -enc '
            - ' -noP -sta -w 1 -enc'
            - ' -enc  SQB'
            - ' -nop -exec bypass -EncodedCommand '
    condition: selection
falsepositives:
    - Other tools that incidentally use the same command line parameters
level: high
high
Invoke-Obfuscation CLIP+ Launcher
Detects Obfuscated use of Clip.exe to execute PowerShell
status test author Jonathan Cheong, oscd.community id b222df08-0e07-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation CLIP+ Launcher
id: b222df08-0e07-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2022-11-17
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # CommandLine|re: 'cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
        # Example 1: Cmd /c" echo/Invoke-Expression (New-Object Net.WebClient).DownloadString |cLiP&& POWerSheLl -Nolog -sT . (\"{1}{2}{0}\"-f'pe','Ad',(\"{1}{0}\" -f'Ty','d-' ) ) -Assemb ( \"{5}{1}{3}{0}{2}{4}\" -f'ows','y','.F',(\"{0}{1}{2}\" -f'stem.W','i','nd'),( \"{0}{1}\"-f 'o','rms' ),'S' ) ; ([SySTEM.wiNDows.FoRmS.CLiPbOArd]::( \"{1}{0}\" -f (\"{1}{0}\" -f'T','TTeX' ),'gE' ).\"invO`Ke\"( ) ) ^| ^&( \"{5}{1}{2}{4}{3}{0}\" -f 'n',( \"{1}{0}\"-f'KE-','o' ),(\"{2}{1}{0}\"-f 'pRESS','x','e' ),'o','i','iNV') ; [System.Windows.Forms.Clipboard]::(\"{0}{1}\" -f( \"{1}{0}\"-f'e','SetT' ),'xt').\"InV`oKe\"( ' ')"
        # Example 2: CMD/c " ECho Invoke-Expression (New-Object Net.WebClient).DownloadString|c:\WiNDowS\SySteM32\cLip && powershElL -noPRO -sTa ^& (\"{2}{0}{1}\" -f 'dd',(\"{1}{0}\"-f 'ype','-T' ),'A' ) -AssemblyN (\"{0}{3}{2}{1}{4}\"-f'Pr','nCo',(\"{0}{1}\"-f'e','ntatio'),'es','re' ) ; ^& ( ( [StRinG]${ve`RB`OSE`pr`e`FeReNCE} )[1,3] + 'x'-JoiN'') ( ( [sySTem.WInDOWs.ClipbOaRD]::( \"{1}{0}\" -f(\"{0}{1}\" -f'tTe','xt' ),'ge' ).\"IN`Vo`Ke\"( ) ) ) ; [System.Windows.Clipboard]::( \"{2}{1}{0}\" -f't',( \"{0}{1}\" -f 'tT','ex' ),'Se' ).\"In`V`oKe\"( ' ' )"
        CommandLine|contains|all:
            - 'cmd'
            - '&&'
            - 'clipboard]::'
            - '-f'
        CommandLine|contains:
            - '/c'
            - '/r'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation CLIP+ Launcher - PowerShell
Detects Obfuscated use of Clip.exe to execute PowerShell
status test author Jonathan Cheong, oscd.community id 73e67340-0d25-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation CLIP+ Launcher - PowerShell
id: 73e67340-0d25-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
Detects Obfuscated use of Clip.exe to execute PowerShell
status test author Jonathan Cheong, oscd.community id a136cde0-61ad-4a61-9b82-8dc490e60dd2
view Sigma YAML 
title: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
related:
    - id: 73e67340-0d25-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation CLIP+ Launcher - Security
Detects Obfuscated use of Clip.exe to execute PowerShell
status test author Jonathan Cheong, oscd.community id 4edf51e1-cb83-4e1a-bc39-800e396068e3
view Sigma YAML 
title: Invoke-Obfuscation CLIP+ Launcher - Security
id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
related:
    - id: f7385ee2-0e0c-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2022-11-27
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'cmd'
            - '&&'
            - 'clipboard]::'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation CLIP+ Launcher - System
Detects Obfuscated use of Clip.exe to execute PowerShell
status test author Jonathan Cheong, oscd.community id f7385ee2-0e0c-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation CLIP+ Launcher - System
id: f7385ee2-0e0c-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2023-02-20
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'cmd'
            - '&&'
            - 'clipboard]::'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Obfuscated IEX Invocation
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community id 4bf943c6-5146-4273-98dd-e958fd1e3abf
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation
id: 4bf943c6-5146-4273-98dd-e958fd1e3abf
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
date: 2019-11-08
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - CommandLine|re: '\$env:ComSpec\[(?:\s*\d{1,3}\s*,){2}'
        - CommandLine|re: '\*mdr\*\W\s*\)\.Name'
        - CommandLine|re: '\$VerbosePreference\.ToString\('
        - CommandLine|re: '\[String\]\s*\$VerbosePreference'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community id 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
date: 2019-11-08
modified: 2022-12-31
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_iex:
        - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
        - ScriptBlockText|re: '\*mdr\*\W\s*\)\.Name'
        - ScriptBlockText|re: '\$VerbosePreference\.ToString\('
    condition: selection_iex
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community id 2f211361-7dce-442d-b78a-c04039677378
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
id: 2f211361-7dce-442d-b78a-c04039677378
related:
    - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
      type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-12-31
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_payload:
        - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
        - Payload|re: '\*mdr\*\W\s*\)\.Name'
        - Payload|re: '\$VerbosePreference\.ToString\('
        - Payload|re: '\[String\]\s*\$VerbosePreference'
    condition: selection_payload
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community id 6c96fc76-0eb1-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher
id: 6c96fc76-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
        # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
        CommandLine|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community id 9ac8b09b-45de-4a07-9da1-0de8c09304a3
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
related:
    - id: 779c8c12-0eb1-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher - Powershell
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community id 779c8c12-0eb1-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - Powershell
id: 779c8c12-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher - Security
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community id 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - Security
id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
related:
    - id: 72862bf2-0eb1-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'cmd'
            - 'powershell'
    selection2:
        ServiceFileName|contains:
            - '${input}'
            - 'noexit'
    selection3:
        ServiceFileName|contains:
            - ' /c '
            - ' /r '
    condition: all of selection*
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher - System
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community id 72862bf2-0eb1-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - System
id: 72862bf2-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection_main:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: 'cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
        # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
        # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
        ImagePath|contains|all:
            - 'cmd'
            - 'powershell'
        ImagePath|contains:
            - '/c'
            - '/r'
    selection_other:
        - ImagePath|contains: 'noexit'
        - ImagePath|contains|all:
              - 'input'
              - '$'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 27aec9c9-dbb0-4939-8422-1742242471d0
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher
id: 27aec9c9-dbb0-4939-8422-1742242471d0
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        CommandLine|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 0adfbc14-0ed1-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - PowerShell
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - PowerShell Module
id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
related:
    - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - Security
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id dcf2db1f-f091-425b-a821-c05875b8925a
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - Security
id: dcf2db1f-f091-425b-a821-c05875b8925a
related:
    - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
      type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        # ServiceFileName|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        ServiceFileName|contains|all:
            - 'cmd'
            - '"set'
            - '-f'
        ServiceFileName|contains:
            - '/c'
            - '/r'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - System
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 8ca7004b-e620-4ecb-870e-86129b5b8e75
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - System
id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        ImagePath|contains|all:
            - 'cmd'
            - '"set'
            - '-f'
        ImagePath|contains:
            - '/c'
            - '/r'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id e9f55347-2928-4c06-88e5-1a7f8169942e
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
id: e9f55347-2928-4c06-88e5-1a7f8169942e
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # CommandLine|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        CommandLine|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        CommandLine|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id e54f5149-6ba3-49cf-b153-070d24679126
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
id: e54f5149-6ba3-49cf-b153-070d24679126
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
related:
    - id: e54f5149-6ba3-49cf-b153-070d24679126
      type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
related:
    - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
      type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        # ServiceFileName|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        ServiceFileName|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        ServiceFileName|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        ImagePath|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        ImagePath|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 9c14c9fa-1a63-4a64-8e57-d19280559490
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin
id: 9c14c9fa-1a63-4a64-8e57-d19280559490
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|re: '(?i)(?:set).*&&\s?set.*(?:environment|invoke|\$\{?input).*&&.*"'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - PowerShell Module
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id c72aca44-8d52-45ad-8f81-f96c4d3c755e
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - PowerShell Module
id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
related:
    - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
      type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - Powershell
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - Powershell
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - Security
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - Security
id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
related:
    - id: 487c7524-f892-4054-b263-8a0ace63fc25
      type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'set'
            - '&&'
        ServiceFileName|contains:
            - 'environment'
            - 'invoke'
            - '${input)'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - System
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 487c7524-f892-4054-b263-8a0ace63fc25
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - System
id: 487c7524-f892-4054-b263-8a0ace63fc25
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: '(?i)(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
        ImagePath|contains|all:
            - 'set'
            - '&&'
        ImagePath|contains:
            - 'environment'
            - 'invoke'
            - 'input'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id e1561947-b4e3-4a74-9bdd-83baed21bdb5
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip
id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: C:\WINdoWS\sySteM32\CMd /c " ECho\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\WINdoWS\sySteM32\CMd /c pOWerSheLl -STa . ( \"{2}{0}{1}\"-f'dd-',(\"{0}{1}\" -f 'T','ype' ),'A' ) -Assembly ( \"{4}{1}{3}{0}{2}\"-f (\"{0}{1}\" -f 'nd','ow'),( \"{1}{0}\"-f'.W','stem' ),( \"{2}{1}{0}\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\"INV`oKECOM`m`ANd\".\"INV`ok`ESCriPT\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \"{2}{0}{1}\" -f'Ex','t',(\"{0}{1}\" -f'Get','t' ) ).\"iNvo`Ke\"( )) ) ; [System.Windows.Forms.Clipboard]::(\"{1}{0}\" -f 'ar','Cle' ).\"in`V`oKE\"( )"
        # Example 2: C:\WINDowS\sYsTEM32\CmD.eXE /C" echo\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\WIndOWs\SYSteM32\CLip &&C:\WINDowS\sYsTEM32\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \"{0}{3}{4}{1}{2}\" -f( \"{0}{1}\"-f'Lo','adW' ),( \"{0}{1}\"-f 'Par','t'),( \"{0}{1}{2}\"-f 'ial','N','ame'),'it','h' ).\"in`VO`KE\"( ( \"{3}{1}{4}{5}{2}{0}\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \"{1}{0}\"-f'T',( \"{1}{0}\" -f'tEX','gET' )).\"i`Nvoke\"( ) ) ^^^| ^^^& ( ( ^^^& ( \"{2}{1}{0}\"-f 'e',( \"{2}{1}{0}\"-f'IABl','aR','v' ),( \"{0}{1}\"-f'Get','-' ) ) ( \"{1}{0}\"-f'*','*MDr' )).\"n`Ame\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \"{0}{1}\" -f (\"{1}{0}\"-f'tT','Se' ),'ext').\"in`VoKe\"(' ' )"
        CommandLine|re: '(?i)echo.*clip.*&&.*(?:Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - PowerShell Module
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - PowerShell Module
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
related:
    - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
      type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - Powershell
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id db92dd33-a3ad-49cf-8c2c-608c3e30ace0
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - Powershell
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - Security
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - Security
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
related:
    - id: 63e3365d-4824-42d8-8b82-e56810fefa0c
      type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: '(Clipboard|i'
    condition: selection
falsepositives:
    - Unknown
level: high
Showing 1-50 of 179
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin