Self-Referential Payload Extraction via PowerShell Command Line

Rule Info

Name
Self-Referential Payload Extraction via PowerShell Command Line
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects PowerShell one-liners that read a file content, extract an embedded payload via regex matching, and write the result to disk for further execution. This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely. The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
Reference
https://www.securonix.com/blog/deepdoor-python-backdoor-and-credential-stealer/
Date
2026-05-12 00:00:00
Modified
None
Id
b3e7f2a4-9c1d-4e6f-8b2a-5d3c7e1f9a4b
Tags
attack.stealth attack.execution attack.t1027 attack.t1059.001 attack.command-and-control attack.t1105
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022