Attachment: PowerShell content

 1name: "Attachment: PowerShell content"
 2description: |
 3  Recursively scans files and archives to detect PowerShell content.
 4
 5  While scripts are often blocked by mail filtering, alternative file formats and archived content may be employed to bypass such controls.  
 6references:
 7  - https://stackoverflow.com/questions/62604621/what-are-the-different-powershell-file-types
 8  - https://en.wikipedia.org/wiki/PowerShell#:~:text=named%20native%20commands.-,Filename%20extensions,-%5Bedit%5D
 9  - https://delivr.to/payloads?id=2d2a0629-7cbd-46f7-979a-e69d5dbd57c1
10type: "rule"
11authors:
12  - twitter: "ajpc500"
13severity: "high"
14source: |
15  type.inbound
16  and any(attachments,
17          (
18            .file_extension in~ (
19              // PowerShell related file extensions
20              "ps1",
21              "ps1xml",
22              "psm1",
23              "psd1",
24              "pssc",
25              "psrc",
26              "cdxml",
27              "ps2",
28              "ps2xml",
29              "psc2",
30            )
31            or .file_extension in~ $file_extensions_common_archives
32          )
33          and any(file.explode(.),
34                  .file_extension in~ (
35                    "ps1",
36                    "ps1xml",
37                    "psm1",
38                    "psd1",
39                    "pssc",
40                    "psrc",
41                    "cdxml",
42                    "ps2",
43                    "ps2xml",
44                    "psc2",
45                  )
46          )
47  )  
48attack_types:
49  - "Malware/Ransomware"
50tactics_and_techniques:
51  - "Scripting"
52detection_methods:
53  - "Archive analysis"
54  - "File analysis"
55id: "c12566db-83af-506a-b9be-adbc01755999"