Potential Binary Or Script Dropper Via PowerShell

Rule Info

Name
Potential Binary Or Script Dropper Via PowerShell
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Description
Detects PowerShell creating a binary executable or a script file.
Reference
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
Date
2023-03-17 00:00:00
Modified
2025-03-05 00:00:00
Id
7047d730-036f-4f40-b9d8-1c63e36d5e62
Tags
attack.persistence
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=7047d730-036f-4f40-b9d8-1c63e36d5e62

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs
2025-04-07
fa27f1bc5
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
Merge PR #4791 from @nasbench - Promote older rules status from `experimental` to `test`
2024-04-01
a8e1ecd65
Wagga
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28
8bf328219
Nasreddine Bencherchali
feat: new rules, updates and goofy guineapig stuff (#4229)
2023-05-15
0cb01970e
frack113
feat: new rule `Potential Binary Or Script Dropper Via PowerShell.EXE` (#4116)
2023-03-17
9ce7f083e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022