Potential POWERTRASH Script Execution

Detects potential execution of the PowerShell script POWERTRASH

Sigma rule (View on GitHub)

 1title: Potential POWERTRASH Script Execution
 2id: 4e19528a-f081-40dd-be09-90c39352bd64
 3status: test
 4description: Detects potential execution of the PowerShell script POWERTRASH
 5references:
 6    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-04
 9tags:
10    - attack.execution
11    - attack.t1059.001
12    - attack.g0046
13    - detection.emerging-threats
14logsource:
15    product: windows
16    category: ps_script
17    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
18detection:
19    selection:
20        ScriptBlockText|contains|all:
21            - 'IO.Compression.DeflateStream'
22            - 'IO.MemoryStream'
23            - '::FromBase64String'
24            - 'GetDelegateForFunctionPointer'
25            - '.Invoke()'
26            - 'GlobalAssemblyCache'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top