File Encryption/Decryption Via Gpg4win From Suspicious Locations
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
Sigma rule (View on GitHub)
1title: File Encryption/Decryption Via Gpg4win From Suspicious Locations
2id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d
3status: experimental
4description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
5references:
6 - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
7 - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
8author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
9date: 2022/11/30
10modified: 2023/08/09
11tags:
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_metadata:
18 - Image|endswith:
19 - '\gpg.exe'
20 - '\gpg2.exe'
21 - Product: 'GNU Privacy Guard (GnuPG)'
22 - Description: 'GnuPG’s OpenPGP tool'
23 selection_cli:
24 CommandLine|contains: '-passphrase'
25 selection_paths:
26 CommandLine|contains:
27 - ':\PerfLogs\'
28 - ':\Temp\'
29 - ':\Users\Public\'
30 - ':\Windows\Temp\'
31 - '\AppData\Local\Temp\'
32 - '\AppData\Roaming\'
33 condition: all of selection_*
34falsepositives:
35 - Unknown
36level: high
References
-
We explore the Batloader malware, its history, attributes, how it is delivered, the infection chain, and Carbon Black’s detection capabilities.
Read More -
Zloader is a banking trojan with historical ties to the Zeus malware. Recently, Egregor and Ryuk ransomware affiliates used Zloader for the initial point of entry. Zloader featured VNC remote acce…
Read More
Related rules
- Abusable DLL Potential Sideloading From Suspicious Location
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact
- Antivirus Hacktool Detection
- Azure Kubernetes CronJob