Portable Gpg.EXE Execution

calendar Nov 10, 2023 · attack.impact attack.t1486  ·
Share on: linkedin copy

Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.

Sigma rule (View on GitHub)

 1title: Portable Gpg.EXE Execution
 2id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41
 3status: experimental
 4description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
 5references:
 6    - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a
 7    - https://securelist.com/locked-out/68960/
 8    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md
 9author: frack113, Nasreddine Bencherchali (Nextron Systems)
10date: 2023/08/06
11modified: 2023/11/10
12tags:
13    - attack.impact
14    - attack.t1486
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - Image|endswith:
21              - '\gpg.exe'
22              - '\gpg2.exe'
23        - OriginalFileName: 'gpg.exe'
24        - Description: 'GnuPG’s OpenPGP tool'
25    filter_main_legit_location:
26        Image|contains:
27            - ':\Program Files (x86)\GNU\GnuPG\bin\'
28            - ':\Program Files (x86)\GnuPG VS-Desktop\'
29            - ':\Program Files (x86)\GnuPG\bin\'
30            - ':\Program Files (x86)\Gpg4win\bin\'
31    condition: selection and not 1 of filter_main_*
32level: medium

References

Related rules

to-top