Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Binary Or Script Dropper Via PowerShell

Detects PowerShell creating a binary executable or a script file.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Fri Mar 17Updated Fri Jul 047047d730-036f-4f40-b9d8-1c63e36d5e62windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic5 selectors
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.chm'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.jar'
            - '.js'
            - '.ocx'
            - '.scr'
            - '.sys'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    filter_main_user_temp:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Local\Temp\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_main_other_temp:
        # Example: C:\Windows\Temp\0DA9758B-4649-4969-9409-5CBDF193FB53\TransmogProvider.dll
        TargetFilename|startswith:
            - 'C:\Windows\Temp\'
            - 'C:\Windows\SystemTemp\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_main_powershell_module:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\WindowsPowerShell\Modules\' # C:\Users\xxxx\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.12\lib\net47\PowerShellYamlSerializer.dll
        TargetFilename|endswith: '.dll'
    filter_main_nuget:
        TargetFilename|startswith: 'C:\Program Files\PackageManagement\ProviderAssemblies\nuget\'
        TargetFilename|endswith: '\Microsoft.PackageManagement.NuGetProvider.dll'
    condition: selection and not 1 of filter_main_*
False Positives

False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.

References
1
Resolving title…
zscaler.com
MITRE ATT&CK
Rule Metadata
Rule ID
7047d730-036f-4f40-b9d8-1c63e36d5e62
Status
test
Level
medium
Type
Detection
Created
Fri Mar 17
Modified
Fri Jul 04
Author
François Hubaut, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml
Raw Tags
attack.persistence
View on GitHub