Self-Referential Payload Extraction via PowerShell

Rule Info

Name
Self-Referential Payload Extraction via PowerShell
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects PowerShell scripts that read file content, extract an embedded payload via regex matching, and write the result to disk for further execution. This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely. The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
Reference
https://www.securonix.com/blog/deepdoor-python-backdoor-and-credential-stealer/
Date
2026-05-12 00:00:00
Modified
None
Id
c4f8a3b5-0d2e-5f7a-9c3b-6e4d8f2a0b5c
Tags
attack.stealth attack.execution attack.t1027 attack.t1059.001 attack.command-and-control attack.t1105
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022