PowerShell Execution With Potential Decryption Capabilities

 1title: PowerShell Execution With Potential Decryption Capabilities
 2id: 434c08ba-8406-4d15-8b24-782cb071a691
 3status: test
 4description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
 5references:
 6    - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
 7author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-06-30
 9modified: 2023-12-05
10tags:
11    - attack.execution
12logsource:
13    product: windows
14    category: process_creation
15detection:
16    selection_img:
17        Image|endswith:
18            - '\powershell.exe'
19            - '\pwsh.exe'
20        OriginalFileName:
21            - 'PowerShell.EXE'
22            - 'pwsh.dll'
23    selection_cli_dir:
24        CommandLine|contains:
25            - "Get-ChildItem "
26            - "dir "
27            - "gci "
28            - "ls "
29    selection_cli_gc:
30        CommandLine|contains:
31            - "Get-Content "
32            - "gc "
33            - 'cat '
34            - 'type '
35            - 'ReadAllBytes'
36    selection_cli_specific:
37        - CommandLine|contains|all:
38              - ' ^| '
39              - '\*.lnk'
40              - '-Recurse'
41              - '-Skip '
42        - CommandLine|contains|all:
43              - ' -ExpandProperty '
44              - '\*.lnk'
45              - 'WriteAllBytes'
46              - ' .length '
47    condition: all of selection_*
48falsepositives:
49    - Unlikely
50level: high