rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml

title: File Decryption Using Gpg4win
id: 037dcd71-33a8-4392-bb01-293c94663e5a
status: test
description: Detects usage of Gpg4win to decrypt files
references:
    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
    - https://www.gpg4win.de/documentation.html
    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-09
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_metadata:
        - Image|endswith:
              - '\gpg.exe'
              - '\gpg2.exe'
        - Description: 'GnuPG’s OpenPGP tool'
    selection_cli:
        CommandLine|contains|all:
            - ' -d '
            - 'passphrase'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
-											fix: wording
										
										
											2023-08-09 19:04:37 +02:00
+								title: File Decryption Using Gpg4win
-											feat: update gpg4win rules
										
										
											2023-08-09 17:08:59 +02:00
+								id: 037dcd71-33a8-4392-bb01-293c94663e5a
-											Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
										
										
											2024-07-01 10:42:32 +02:00
+								status: test
-											fix: wording
										
										
											2023-08-09 19:04:37 +02:00
+								description: Detects usage of Gpg4win to decrypt files
-											feat: update gpg4win rules
										
										
											2023-08-09 17:08:59 +02:00
+								references:
 								    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
 								    - https://www.gpg4win.de/documentation.html
 								    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
 								author: Nasreddine Bencherchali (Nextron Systems)
-											Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
										
										
											2024-08-12 12:02:50 +02:00
+								date: 2023-08-09
-											feat: update gpg4win rules
										
										
											2023-08-09 17:08:59 +02:00
+								tags:
 								    - attack.execution
 								logsource:
 								    category: process_creation
 								    product: windows
 								detection:
 								    selection_metadata:
 								        - Image|endswith:
-											Merge PR #4482 From @nasbench - Add New Automation Workflows
										
										
											2023-10-18 11:53:44 +02:00
+								              - '\gpg.exe'
 								              - '\gpg2.exe'
-											feat: update gpg4win rules
										
										
											2023-08-09 17:08:59 +02:00
+								        - Description: 'GnuPG’s OpenPGP tool'
 								    selection_cli:
 								        CommandLine|contains|all:
 								            - ' -d '
 								            - 'passphrase'
 								    condition: all of selection_*
 								falsepositives:
 								    - Unknown
 								level: medium