Gzip Archive Decode Via PowerShell

 1title: Gzip Archive Decode Via PowerShell
 2id: 98767d61-b2e8-4d71-b661-e36783ee24c1
 3status: test
 4description: Detects attempts of decoding encoded Gzip archives via PowerShell.
 5references:
 6    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
 7author: Hieu Tran
 8date: 2023/03/13
 9tags:
10    - attack.command_and_control
11    - attack.t1132.001
12logsource:
13    product: windows
14    category: process_creation
15detection:
16    selection:
17        CommandLine|contains|all:
18            - 'GZipStream'
19            - '::Decompress'
20    condition: selection
21falsepositives:
22    - Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions
23level: medium

References

• OneNote: A Growing Threat for Malware Distribution

  

  Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.

  
  Read More

Related rules

• DNS Exfiltration and Tunneling Tools Execution
• Suspicious FromBase64String Usage On Gzip Archive - Process Creation
• Suspicious FromBase64String Usage On Gzip Archive - Ps Script
• Import LDAP Data Interchange Format File Via Ldifde.EXE
• OilRig APT Schedule Task Persistence - System