
Summary
This detection rule aims to identify the invocation of Gpg4win utilities for file encryption on Windows systems. Gpg4win is an encryption tool that utilizes GnuPG, which is widely used for secure communication and data storage. The rule captures process creation events specifically looking for processes that are either 'gpg.exe' or 'gpg2.exe', as these are common executables associated with Gpg4win. Additionally, it monitors command-line arguments for indications that encryption is being performed, such as the presence of a passphrase. Such activities may be leveraged to protect sensitive information, but they can also be manipulated by threat actors to obfuscate malicious file activities. Therefore, detecting its usage is crucial for maintaining endpoint security against unauthorized encryption operations.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2023-08-09