Potential Binary Or Script Dropper Via PowerShell

calendar Jul 8, 2025 · attack.persistence  ·
Share on: linkedin copy

Detects PowerShell creating a binary executable or a script file.

Sigma rule (View on GitHub)

 1title: Potential Binary Or Script Dropper Via PowerShell
 2id: 7047d730-036f-4f40-b9d8-1c63e36d5e62
 3status: test
 4description: Detects PowerShell creating a binary executable or a script file.
 5references:
 6    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
 7author: frack113, Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-03-17
 9modified: 2025-07-04
10tags:
11    - attack.persistence
12logsource:
13    product: windows
14    category: file_event
15detection:
16    selection:
17        Image|endswith:
18            - '\powershell.exe'
19            - '\powershell_ise.exe'
20            - '\pwsh.exe'
21        TargetFilename|endswith:
22            - '.bat'
23            - '.chm'
24            - '.cmd'
25            - '.com'
26            - '.dll'
27            - '.exe'
28            - '.hta'
29            - '.jar'
30            - '.js'
31            - '.ocx'
32            - '.scr'
33            - '.sys'
34            - '.vbe'
35            - '.vbs'
36            - '.wsf'
37    filter_main_user_temp:
38        TargetFilename|startswith: 'C:\Users\'
39        TargetFilename|contains: '\AppData\Local\Temp\'
40        TargetFilename|endswith:
41            - '.dll'
42            - '.exe'
43    filter_main_other_temp:
44        # Example: C:\Windows\Temp\0DA9758B-4649-4969-9409-5CBDF193FB53\TransmogProvider.dll
45        TargetFilename|startswith:
46            - 'C:\Windows\Temp\'
47            - 'C:\Windows\SystemTemp\'
48        TargetFilename|endswith:
49            - '.dll'
50            - '.exe'
51    filter_main_powershell_module:
52        TargetFilename|startswith: 'C:\Users\'
53        TargetFilename|contains: '\WindowsPowerShell\Modules\' # C:\Users\xxxx\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.12\lib\net47\PowerShellYamlSerializer.dll
54        TargetFilename|endswith: '.dll'
55    filter_main_nuget:
56        TargetFilename|startswith: 'C:\Program Files\PackageManagement\ProviderAssemblies\nuget\'
57        TargetFilename|endswith: '\Microsoft.PackageManagement.NuGetProvider.dll'
58    condition: selection and not 1 of filter_main_*
59falsepositives:
60    - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
61level: medium

References

  • OneNote | ThreatLabz

    Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.


    Read More

Related rules

to-top