Attachment: PowerShell content

Recursively scans files and archives to detect PowerShell content.

While scripts are often blocked by mail filtering, alternative file formats and archived content may be employed to bypass such controls.

Sublime rule (View on GitHub)

 1name: "Attachment: PowerShell content"
 2description: |
 3  Recursively scans files and archives to detect PowerShell content.
 4
 5  While scripts are often blocked by mail filtering, alternative file formats and archived content may be employed to bypass such controls.  
 6references:
 7  - https://stackoverflow.com/questions/62604621/what-are-the-different-powershell-file-types
 8  - https://en.wikipedia.org/wiki/PowerShell#:~:text=named%20native%20commands.-,Filename%20extensions,-%5Bedit%5D
 9  - https://delivr.to/payloads?id=2d2a0629-7cbd-46f7-979a-e69d5dbd57c1
10type: "rule"
11authors:
12  - twitter: "ajpc500"
13severity: "high"
14source: |
15  type.inbound
16  and any(attachments,
17          (
18            .file_extension in~ (
19              // PowerShell related file extensions
20              "ps1",
21              "ps1xml",
22              "psm1",
23              "psd1",
24              "pssc",
25              "psrc",
26              "cdxml",
27              "ps2",
28              "ps2xml",
29              "psc2",
30            )
31            or .file_extension in~ $file_extensions_common_archives
32          )
33          and any(file.explode(.),
34                  .file_extension in~ (
35                    "ps1",
36                    "ps1xml",
37                    "psm1",
38                    "psd1",
39                    "pssc",
40                    "psrc",
41                    "cdxml",
42                    "ps2",
43                    "ps2xml",
44                    "psc2",
45                  )
46          )
47  )  
48attack_types:
49  - "Malware/Ransomware"
50tactics_and_techniques:
51  - "Scripting"
52detection_methods:
53  - "Archive analysis"
54  - "File analysis"
55id: "c12566db-83af-506a-b9be-adbc01755999"
to-top