heroui logo

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module

Sigma Rules

View Source
Summary
This rule is designed to detect obfuscated PowerShell scripts executed via the VAR++ Launcher. The detection focuses on identifying the specific Payload that indicates obfuscation patterns typically used in malicious scripts. The rule utilizes a regex pattern to match against PowerShell commands that follow a distinct structure indicative of obfuscation tactics. The rule's high alert level suggests that detections are likely indicative of evasion attempts common in cyber attack scenarios. This rule was authored by Timur Zinniatullin from oscd.community and is aimed at enhancing security measures against advanced persistent threats that leverage PowerShell for execution.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • Application Log
Created: 2020-10-13