File Encryption Using Gpg4win

Detects usage of Gpg4win to encrypt files

Sigma rule (View on GitHub)

 1title: File Encryption Using Gpg4win
 2id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd
 3status: test
 4description: Detects usage of Gpg4win to encrypt files
 5references:
 6    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
 7    - https://www.gpg4win.de/documentation.html
 8    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/08/09
11tags:
12    - attack.execution
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_metadata:
18        - Image|endswith:
19              - '\gpg.exe'
20              - '\gpg2.exe'
21        - Description: 'GnuPG’s OpenPGP tool'
22    selection_cli:
23        CommandLine|contains|all:
24            - ' -c '
25            - 'passphrase'
26    condition: all of selection_*
27falsepositives:
28    - Unknown
29level: medium

References

Related rules

to-top