PowerShell Execution With Potential Decryption Capabilities
Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
Sigma rule (View on GitHub)
1title: PowerShell Execution With Potential Decryption Capabilities
2id: 434c08ba-8406-4d15-8b24-782cb071a691
3status: experimental
4description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
5references:
6 - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
7author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
8date: 2023/06/30
9modified: 2023/12/05
10tags:
11 - attack.execution
12logsource:
13 product: windows
14 category: process_creation
15detection:
16 selection_img:
17 Image|endswith:
18 - '\powershell.exe'
19 - '\pwsh.exe'
20 OriginalFileName:
21 - 'PowerShell.EXE'
22 - 'pwsh.dll'
23 selection_cli_dir:
24 CommandLine|contains:
25 - "Get-ChildItem "
26 - "dir "
27 - "gci "
28 - "ls "
29 selection_cli_gc:
30 CommandLine|contains:
31 - "Get-Content "
32 - "gc "
33 - 'cat '
34 - 'type '
35 - 'ReadAllBytes'
36 selection_cli_specific:
37 - CommandLine|contains|all:
38 - ' ^| '
39 - '\*.lnk'
40 - '-Recurse'
41 - '-Skip '
42 - CommandLine|contains|all:
43 - ' -ExpandProperty '
44 - '\*.lnk'
45 - 'WriteAllBytes'
46 - ' .length '
47 condition: all of selection_*
48falsepositives:
49 - Unlikely
50level: high
References
-
Introduction In the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor targeting Foreign Affairs ministries and embassies in Europe. Combined with other Chinese activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift to targeting […]
Read More
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- CMSTP Execution Process Access
- HackTool - CobaltStrike BOF Injection Pattern
- HackTool - HandleKatz Duplicating LSASS Handle