heroui logo

Portable Gpg.EXE Execution

Sigma Rules

View Source
Summary
This detection rule identifies the execution of 'gpg.exe' or 'gpg2.exe' from uncommon directories that are not legitimate installation paths for GnuPG, which are typical locations for legitimate use. 'gpg.exe' is a tool used for decryption and encryption under the OpenPGP standard and is sometimes exploited by ransomware and loaders to manage encrypted data. By monitoring process creation events, this rule aims to highlight potentially malicious uses of the tool in environments where it is not expected, such as during unauthorized access or data exfiltration. The conditions filter out legitimate usages by checking if the file path does not contain known legitimate directories for the application. This can significantly help in detecting malicious activity attempting to leverage gpg.exe for harmful purposes.
Categories
  • Endpoint
  • Windows
  • Infrastructure
Data Sources
  • Process
ATT&CK Techniques
  • T1486
Created: 2023-08-06