← Back to Explore
sigmahighHunting
PowerShell Execution With Potential Decryption Capabilities
Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
Detection Query
selection_img:
Image|endswith:
- \powershell.exe
- \pwsh.exe
OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_cli_dir:
CommandLine|contains:
- "Get-ChildItem "
- "dir "
- "gci "
- "ls "
selection_cli_gc:
CommandLine|contains:
- "Get-Content "
- "gc "
- "cat "
- "type "
- ReadAllBytes
selection_cli_specific:
- CommandLine|contains|all:
- " ^| "
- \*.lnk
- -Recurse
- "-Skip "
- CommandLine|contains|all:
- " -ExpandProperty "
- \*.lnk
- WriteAllBytes
- " .length "
condition: all of selection_*
Author
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2023-06-30
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.execution
Raw Content
title: PowerShell Execution With Potential Decryption Capabilities
id: 434c08ba-8406-4d15-8b24-782cb071a691
status: test
description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
references:
- https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-30
modified: 2023-12-05
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_dir:
CommandLine|contains:
- "Get-ChildItem "
- "dir "
- "gci "
- "ls "
selection_cli_gc:
CommandLine|contains:
- "Get-Content "
- "gc "
- 'cat '
- 'type '
- 'ReadAllBytes'
selection_cli_specific:
- CommandLine|contains|all:
- ' ^| '
- '\*.lnk'
- '-Recurse'
- '-Skip '
- CommandLine|contains|all:
- ' -ExpandProperty '
- '\*.lnk'
- 'WriteAllBytes'
- ' .length '
condition: all of selection_*
falsepositives:
- Unlikely
level: high