← Back to Explore
sublimehighRule
Attachment: PowerShell content
Recursively scans files and archives to detect PowerShell content. While scripts are often blocked by mail filtering, alternative file formats and archived content may be employed to bypass such controls.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in~ (
// PowerShell related file extensions
"ps1",
"ps1xml",
"psm1",
"psd1",
"pssc",
"psrc",
"cdxml",
"ps2",
"ps2xml",
"psc2",
)
or .file_extension in~ $file_extensions_common_archives
)
and any(file.explode(.),
.file_extension in~ (
"ps1",
"ps1xml",
"psm1",
"psd1",
"pssc",
"psrc",
"cdxml",
"ps2",
"ps2xml",
"psc2",
)
)
)
Author
ajpc500
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Attachment: PowerShell content"
description: |
Recursively scans files and archives to detect PowerShell content.
While scripts are often blocked by mail filtering, alternative file formats and archived content may be employed to bypass such controls.
references:
- https://stackoverflow.com/questions/62604621/what-are-the-different-powershell-file-types
- https://en.wikipedia.org/wiki/PowerShell#:~:text=named%20native%20commands.-,Filename%20extensions,-%5Bedit%5D
- https://delivr.to/payloads?id=2d2a0629-7cbd-46f7-979a-e69d5dbd57c1
type: "rule"
authors:
- twitter: "ajpc500"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ (
// PowerShell related file extensions
"ps1",
"ps1xml",
"psm1",
"psd1",
"pssc",
"psrc",
"cdxml",
"ps2",
"ps2xml",
"psc2",
)
or .file_extension in~ $file_extensions_common_archives
)
and any(file.explode(.),
.file_extension in~ (
"ps1",
"ps1xml",
"psm1",
"psd1",
"pssc",
"psrc",
"cdxml",
"ps2",
"ps2xml",
"psc2",
)
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Scripting"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "c12566db-83af-506a-b9be-adbc01755999"