Gzip Archive Decode Via PowerShell
Detects attempts of decoding encoded Gzip archives via PowerShell.
Sigma rule (View on GitHub)
1title: Gzip Archive Decode Via PowerShell
2id: 98767d61-b2e8-4d71-b661-e36783ee24c1
3status: test
4description: Detects attempts of decoding encoded Gzip archives via PowerShell.
5references:
6 - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
7author: Hieu Tran
8date: 2023-03-13
9tags:
10 - attack.command-and-control
11 - attack.t1132.001
12logsource:
13 product: windows
14 category: process_creation
15detection:
16 selection:
17 CommandLine|contains|all:
18 - 'GZipStream'
19 - '::Decompress'
20 condition: selection
21falsepositives:
22 - Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions
23level: medium
References
-
Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.
Read More
Related rules
- DNS Exfiltration and Tunneling Tools Execution
- Suspicious FromBase64String Usage On Gzip Archive - Process Creation
- Suspicious FromBase64String Usage On Gzip Archive - Ps Script
- ADSI-Cache File Creation By Uncommon Tool
- APT User Agent