CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/win_invoke_obfuscation_var_services_security.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

33 lines
942 B
YAML
Raw Blame History

title: Invoke-Obfuscation VAR+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
EventID: 4697
SELECTION_2:
ServiceFileName|re: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: dcf2db1f-f091-425b-a821-c05875b8925a
level: high
logsource:
product: windows
service: security
modified: 2021/09/17
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: win_invoke_obfuscation_var_services_security.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
Reference in New Issue View Git Blame Copy Permalink