← Back to SOC feed Coverage →

File Decryption Using Gpg4win

sigma MEDIUM SigmaHQ
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-08T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects usage of Gpg4win to decrypt files

Detection Rule

Sigma (Original)

title: File Decryption Using Gpg4win
id: 037dcd71-33a8-4392-bb01-293c94663e5a
status: test
description: Detects usage of Gpg4win to decrypt files
references:
    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
    - https://www.gpg4win.de/documentation.html
    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-09
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_metadata:
        - Image|endswith:
              - '\gpg.exe'
              - '\gpg2.exe'
        - Description: 'GnuPG’s OpenPGP tool'
    selection_cli:
        CommandLine|contains|all:
            - ' -d '
            - 'passphrase'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where ((TargetProcessName endswith "\\gpg.exe" or TargetProcessName endswith "\\gpg2.exe") or TargetProcessFileDescription =~ "GnuPG’s OpenPGP tool") and (TargetProcessCommandLine contains " -d " and TargetProcessCommandLine contains "passphrase")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml