Techniques
Sample rules
PowerShell Script with Encryption/Decryption Capabilities
- source: elastic
- technicques:
- T1027
- T1140
Description
Identifies PowerShell script block content that uses .NET cryptography APIs for file encryption or decryption. Attackers abuse these routines to encrypt data for impact or decrypt staged payloads to evade defenses.
Detection logic
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
(
"Cryptography.AESManaged" or
"Cryptography.RijndaelManaged" or
"Cryptography.SHA1Managed" or
"Cryptography.SHA256Managed" or
"Cryptography.SHA384Managed" or
"Cryptography.SHA512Managed" or
"Cryptography.SymmetricAlgorithm" or
"PasswordDeriveBytes" or
"Rfc2898DeriveBytes"
) and
(
CipherMode and PaddingMode
) and
(
".CreateEncryptor" or
".CreateDecryptor"
)
) and
not user.id : "S-1-5-18" and
not (
file.name : "Bootstrap.Octopus.FunctionAppenderContext.ps1" and
powershell.file.script_block_text : ("function Decrypt-Variables" or "github.com/OctopusDeploy")
)