sigmamediumHunting

Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

MITRE ATT&CK

defense-evasionexecution

Detection Query

selection:
  EventID: 4697
  ServiceFileName|contains|all:
    - new-object
    - text.encoding]::ascii
    - readtoend
  ServiceFileName|contains:
    - system.io.compression.deflatestream
    - system.io.streamreader
condition: selection

Author

Timur Zinniatullin, oscd.community

Created

2020-10-18

Data Sources

windowssecurity

Platforms

windows

References

https://github.com/SigmaHQ/sigma/issues/1009

Tags

attack.defense-evasionattack.t1027attack.executionattack.t1059.001

Raw Content

title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
related:
    - id: 175997c5-803c-4b08-8bb0-70b099f47595
      type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.defense-evasion
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
            - 'readtoend'
        ServiceFileName|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
    condition: selection
falsepositives:
    - Unknown
level: medium