security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml
T
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-10-18 11:53:44 +02:00

30 lines
926 B
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
title: File Decryption Using Gpg4win
id: 037dcd71-33a8-4392-bb01-293c94663e5a
status: experimental
description: Detects usage of Gpg4win to decrypt files
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.gpg4win.de/documentation.html
- https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_metadata:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- Description: 'GnuPGs OpenPGP tool'
selection_cli:
CommandLine|contains|all:
- ' -d '
- 'passphrase'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink