Potential Binary Or Script Dropper Via PowerShell

Detects PowerShell creating a binary executable or a script file.

Sigma rule (View on GitHub)

 1title: Potential Binary Or Script Dropper Via PowerShell
 2id: 7047d730-036f-4f40-b9d8-1c63e36d5e62
 3status: test
 4description: Detects PowerShell creating a binary executable or a script file.
 5references:
 6    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
 7author: frack113, Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-03-17
 9modified: 2023-05-09
10tags:
11    - attack.persistence
12logsource:
13    product: windows
14    category: file_event
15detection:
16    selection:
17        Image|endswith:
18            - '\powershell.exe'
19            - '\pwsh.exe'
20        TargetFilename|endswith:
21            - '.bat'
22            - '.chm'
23            - '.cmd'
24            - '.com'
25            - '.dll'
26            - '.exe'
27            - '.hta'
28            - '.jar'
29            - '.js'
30            - '.ocx'
31            - '.scr'
32            - '.sys'
33            - '.vbe'
34            - '.vbs'
35            - '.wsf'
36    filter_main_user_temp:
37        TargetFilename|startswith: 'C:\Users\'
38        TargetFilename|contains: '\AppData\Local\Temp\'
39        TargetFilename|endswith:
40            - '.dll'
41            - '.exe'
42    filter_main_admin_temp:
43        # Example: C:\Windows\Temp\0DA9758B-4649-4969-9409-5CBDF193FB53\TransmogProvider.dll
44        TargetFilename|startswith: 'C:\Windows\Temp\'
45        TargetFilename|endswith:
46            - '.dll'
47            - '.exe'
48    condition: selection and not 1 of filter_main_*
49falsepositives:
50    - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
51level: medium

References

Related rules

to-top