Date: 08/13/2024
Severity: High
Summary
Identifies the TOKEN OBFUSCATION method used by Invoke-Obfuscation.
Indicators of Compromise (IOC) List
ScriptBlockText | '\w+`(\w+|-|.)`[\w+|\s]' '"(\{\d\}){2,}"\s*-f' '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}' '${env:path}' 'it will return true or false instead' 'The function also prevents `Get-ItemProperty` from failing' '`r`n' |
Path | 'C:\Program Files\Microsoft\Exchange Server\' '\bin\servicecontrol.ps1' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename = "Windows Security" AND eventtype in ("4104" ) ) AND rawmessages not in ("C:\\Program Files\\Microsoft\\Exchange Server", "\\bin\\servicecontrol.ps1") AND winmessage in ("\\w+`(\\w+|-|.)`[\\w+|\\s]" ,"(\\{\\d\\}){2,}","\\s*-f" , "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}" , "${env:path}" , "it will return true or false instead" , "The function also prevents `Get-ItemProperty` from failing" , "`r`n" ) |
Detection Query 2 | (technologygroup = "EDR" ) AND winmessages not in ("C:\\Program Files\\Microsoft\\Exchange Server", "\\bin\\servicecontrol.ps1") AND winmessage in ("\\w+`(\\w+|-|.)`[\\w+|\\s]" ,"(\\{\\d\\}){2,}","\\s*-f" , "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}" , "${env:path}" , "it will return true or false instead" , "The function also prevents `Get-ItemProperty` from failing" , "`r`n" ) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
https://github.com/danielbohannon/Invoke-Obfuscation