security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
291ca18d22f720f2ebcd30cf468f4434cecccdaa
blue-team-tools/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml
T
phantinuss 158a1c6cc1 fix: wording
2023-08-09 19:04:37 +02:00

30 lines
922 B
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
title: File Encryption Using Gpg4win
id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd
status: experimental
description: Detects usage of Gpg4win to encrypt files
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.gpg4win.de/documentation.html
- https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_metadata:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- Description: 'GnuPGs OpenPGP tool'
selection_cli:
CommandLine|contains|all:
- ' -c '
- 'passphrase'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink