Renamed Gpg.EXE Execution

calendar Aug 12, 2024 · attack.impact attack.t1486  ·
Share on: linkedin copy

Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.

Sigma rule (View on GitHub)

 1title: Renamed Gpg.EXE Execution
 2id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592
 3status: test
 4description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
 5references:
 6    - https://securelist.com/locked-out/68960/
 7author: Nasreddine Bencherchali (Nextron Systems), frack113
 8date: 2023-08-09
 9tags:
10    - attack.impact
11    - attack.t1486
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        OriginalFileName: 'gpg.exe'
18    filter_main_img:
19        Image|endswith:
20            - '\gpg.exe'
21            - '\gpg2.exe'
22    condition: selection and not 1 of filter_main_*
23level: high

References

  • ‘Locked Out’

    In this article we look at the evolution of complication of the encryption schemes used by virus writers and the methods they adopt to put pressure on their victims. At the end of the article there is some advice for users which might help them protect important files.


    Read More

Related rules

to-top