heroui logo

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Sigma Rules

View Source
Summary
This detection rule targets obfuscated PowerShell commands executed through VAR++ Launcher identified by the Service Control Manager in Windows environments. By analyzing event ID 7045, which records the installation of a new service, it looks for specific patterns in the ImagePath indicating potentially malicious behavior such as unusual command structures (`&&set`, `cmd`, `/c`, `-f`). The use of terms like `{0}`, `{1}`, `{2}`, `{3}`, `{4}`, and `{5}` within the path further suggests script obfuscation techniques. The rule is marked as having a high severity level due to the potential for severe impacts from obfuscated command execution, and it is expected to generate false positives which should be managed appropriately. This rule is part of a broader set of rules within the Sigma framework that aims to standardize detection methodologies across various platforms and tools.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
  • Application Log
  • Service
Created: 2020-10-13