← Back to Explore
sigmamediumHunting
Invoke-Obfuscation COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detection Query
selection:
CommandLine|contains|all:
- new-object
- text.encoding]::ascii
CommandLine|contains:
- system.io.compression.deflatestream
- system.io.streamreader
- readtoend(
condition: selection
Author
Timur Zinniatullin, oscd.community
Created
2020-10-18
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.defense-evasionattack.t1027attack.executionattack.t1059.001
Raw Content
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
- attack.defense-evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
CommandLine|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
- 'readtoend('
condition: selection
falsepositives:
- Unknown
level: medium