Hidden Powershell in Link File Pattern

calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects events that appear when a user click on a link file with a powershell command in it

Sigma rule (View on GitHub)

 1title: Hidden Powershell in Link File Pattern
 2id: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a
 3status: test
 4description: Detects events that appear when a user click on a link file with a powershell command in it
 5references:
 6    - https://www.x86matthew.com/view_post?id=embed_exe_lnk
 7author: frack113
 8date: 2022-02-06
 9tags:
10    - attack.execution
11    - attack.t1059.001
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        ParentImage: C:\Windows\explorer.exe
18        Image: C:\Windows\System32\cmd.exe
19        CommandLine|contains|all:
20            - 'powershell'
21            - '.lnk'
22    condition: selection
23falsepositives:
24    - Legitimate commands in .lnk files
25level: medium

References

  • x86matthew - Home

    WriteProcessMemoryAPC - Write memory to a remote process using APC calls Another alternative to WriteProcessMemory, this time by scheduling APC calls to call RtlFillMemory


    Read More

Related rules

to-top