detection.wiki

Detection rules › Sigma

PowerShell Execution With Potential Decryption Capabilities

Severity
high
Author
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: [PowerShell.EXE, pwsh.dll]

Stage 2: all of selection_cli_dir

or:
CommandLine|contains: 'Get-ChildItem '
CommandLine|contains: 'dir '
CommandLine|contains: 'gci '
CommandLine|contains: 'ls '

Stage 3: all of selection_cli_gc

or:
CommandLine|contains: 'Get-Content '
CommandLine|contains: ReadAllBytes
CommandLine|contains: 'cat '
CommandLine|contains: 'gc '
CommandLine|contains: 'type '

Stage 4: all of selection_cli_specific

or:
CommandLine|contains: ' -ExpandProperty '
CommandLine|contains: ' .length '
CommandLine|contains: WriteAllBytes
CommandLine|contains: '\*.lnk'
CommandLine|contains: ' ^| '
CommandLine|contains: -Recurse
CommandLine|contains: '-Skip '
CommandLine|contains: '\*.lnk'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • -ExpandProperty
  • .length
  • ^|
  • -Recurse
  • -Skip
  • Get-ChildItem corpus 2 (sigma 2)
  • Get-Content
  • ReadAllBytes
  • WriteAllBytes
  • \*.lnk
  • cat corpus 2 (sigma 2)
  • dir corpus 4 (sigma 4)
  • gc
  • gci
  • ls
  • type corpus 6 (sigma 6)
Imageends_with
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
OriginalFileNameeq
  • PowerShell.EXE corpus 64 (sigma 60, splunk 4)
  • pwsh.dll corpus 72 (sigma 68, splunk 4)