heroui logo

Invoke-Obfuscation COMPRESS OBFUSCATION - System

Sigma Rules

View Source
Summary
This detection rule targets the usage of obfuscated PowerShell commands utilizing the COMPRESS OBFUSCATION technique, frequently employed by attackers to execute malicious code while evading detection mechanisms. The rule identifies this threat by monitoring event logs generated by the Service Control Manager (SCM) for specific events indicating the registration of new services that use obfuscation techniques. Key indicators include the presence of PowerShell commands that utilize 'new-object', '.Net System.IO.Compression' methods, and references to specific encoding and streaming constructs. This rule will trigger an alert when the specified event (EventID 7045) occurs, and at least one of the defined obfuscation-related keywords appears in the service image path. Given the nature of the detection focus, false positives may occur, particularly in environments where legitimate use of obfuscation is part of standard operations.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
  • Application Log
  • Process
Created: 2020-10-18