File Encryption/Decryption Via Gpg4win From Suspicious Locations
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
Sigma rule (View on GitHub)
1title: File Encryption/Decryption Via Gpg4win From Suspicious Locations
2id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d
3status: test
4description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
5references:
6 - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
7 - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
8author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
9date: 2022-11-30
10modified: 2023-08-09
11tags:
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_metadata:
18 - Image|endswith:
19 - '\gpg.exe'
20 - '\gpg2.exe'
21 - Product: 'GNU Privacy Guard (GnuPG)'
22 - Description: 'GnuPG’s OpenPGP tool'
23 selection_cli:
24 CommandLine|contains: '-passphrase'
25 selection_paths:
26 CommandLine|contains:
27 - ':\PerfLogs\'
28 - ':\Temp\'
29 - ':\Users\Public\'
30 - ':\Windows\Temp\'
31 - '\AppData\Local\Temp\'
32 - '\AppData\Roaming\'
33 condition: all of selection_*
34falsepositives:
35 - Unknown
36level: high
References
-
We explore the Batloader malware, its history, attributes, how it is delivered, the infection chain, and Carbon Black’s detection capabilities.
Read More -
Zloader is a banking trojan with historical ties to the Zeus malware. Recently, Egregor and Ryuk ransomware affiliates used Zloader for the initial point of entry. Zloader featured VNC remote acce…
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change