File Decryption Using Gpg4win
Detects usage of Gpg4win to decrypt files
Sigma rule (View on GitHub)
1title: File Decryption Using Gpg4win
2id: 037dcd71-33a8-4392-bb01-293c94663e5a
3status: test
4description: Detects usage of Gpg4win to decrypt files
5references:
6 - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
7 - https://www.gpg4win.de/documentation.html
8 - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-08-09
11tags:
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_metadata:
18 - Image|endswith:
19 - '\gpg.exe'
20 - '\gpg2.exe'
21 - Description: 'GnuPG’s OpenPGP tool'
22 selection_cli:
23 CommandLine|contains|all:
24 - ' -d '
25 - 'passphrase'
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29level: medium
References
-
We explore the Batloader malware, its history, attributes, how it is delivered, the infection chain, and Carbon Black’s detection capabilities.
Read More -
Documentation The Gpg4win Compendium is an old style documentation to get into the world of cryptography. Using the example of Gpg4win, you learn step by step the secure use of Kleopatra, GpgEX and...
Read More -
Zloader is a banking trojan with historical ties to the Zeus malware. Recently, Egregor and Ryuk ransomware affiliates used Zloader for the initial point of entry. Zloader featured VNC remote acce…
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change