LoFP / legitimate administrative scripts may use this functionality. use \"parentimage\" in combination with the script names and allowed users and applications to filter legitimate executions

Techniques

• t1132
• t1132.001

Sample rules

Gzip Archive Decode Via PowerShell

• source: sigma
• technicques:
  • t1132
  • t1132.001

Description

Detects attempts of decoding encoded Gzip archives via PowerShell.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - GZipStream
  - ::Decompress