File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
Sigma rule (View on GitHub)
1title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
2id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
3status: experimental
4description: |
5 Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
6author: '@Kostastsale'
7references:
8 - https://ss64.com/nt/shell.html
9date: 2022-12-22
10modified: 2024-08-23
11tags:
12 - attack.discovery
13 - attack.t1135
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 ParentImage|endswith:
20 - '\cmd.exe'
21 - '\powershell.exe'
22 - '\pwsh.exe'
23 Image|endswith: '\explorer.exe'
24 CommandLine|contains: 'shell:mycomputerfolder'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- HackTool - SharpView Execution
- PUA - Advanced IP Scanner Execution
- PUA - Advanced Port Scanner Execution
- Potential Dridex Activity
- Turla Group Lateral Movement