heroui logo

Invoke-Obfuscation COMPRESS OBFUSCATION

Sigma Rules

View Source
Summary
The rule focuses on detecting obfuscated PowerShell code executed on Windows systems using specific command-line patterns indicating the use of compress obfuscation techniques. It analyzes the process creation events and looks for specific indicative commands typically associated with obfuscation. Key commands like `new-object` and components of the .NET framework, such as `system.io.compression.deflatestream` and `system.io.streamreader`, alongside their function calls in the command line, signal possible malicious activity. These patterns are common in evading security measures as attackers often utilize script obfuscation methods to hide their true intent. The rule is designed to catch such attempts and contribute to improved security monitoring for PowerShell-based attacks. It falls under the categories of defense evasion and execution tactics in the MITRE ATT&CK framework, specifically relating to techniques T1027 (Obfuscated Files or Information) and T1059.001 (PowerShell). The detection is condition-based and aims to reduce false positives while maintaining a medium severity level, thereby alerting analysts to investigate potential incidents.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • Command
Created: 2020-10-18