← Library
sigmaDRL-1.1from SigmaHQ/sigma

PowerShell Execution With Potential Decryption Capabilities

Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.

Quality
54
FP risk
Forks
0
Views
0
Rule sourcerules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
title: PowerShell Execution With Potential Decryption Capabilities
id: 434c08ba-8406-4d15-8b24-782cb071a691
status: test
description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
references:
    - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-30
modified: 2023-12-05
tags:
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        OriginalFileName:
            - 'PowerShell.EXE'
            - 'pwsh.dll'
    selection_cli_dir:
        CommandLine|contains:
            - "Get-ChildItem "
            - "dir "
            - "gci "
            - "ls "
    selection_cli_gc:
        CommandLine|contains:
            - "Get-Content "
            - "gc "
            - 'cat '
            - 'type '
            - 'ReadAllBytes'
    selection_cli_specific:
        - CommandLine|contains|all:
              - ' ^| '
              - '\*.lnk'
              - '-Recurse'
              - '-Skip '
        - CommandLine|contains|all:
              - ' -ExpandProperty '
              - '\*.lnk'
              - 'WriteAllBytes'
              - ' .length '
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high