File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
Sigma rule (View on GitHub)
1title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
2id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
3status: test
4description: |
5 Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
6author: '@Kostastsale'
7references:
8 - https://ss64.com/nt/shell.html
9date: 2022-12-22
10modified: 2024-08-23
11tags:
12 - attack.discovery
13 - attack.t1135
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 ParentImage|endswith:
20 - '\cmd.exe'
21 - '\powershell.exe'
22 - '\pwsh.exe'
23 Image|endswith: '\explorer.exe'
24 CommandLine|contains: 'shell:mycomputerfolder'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Description Shell: folder shortcut Equivalent System User Display installed Windows Updates shell:AppUpdatesFolder Control Panel ➞ Programs and Features ➞ Installed updates System folder Open the u...
Read More
Related rules
- HackTool - SharpView Execution
- PUA - Advanced IP Scanner Execution
- PUA - Advanced Port Scanner Execution
- Potential Dridex Activity
- Turla Group Lateral Movement