Hidden Powershell in Link File Pattern
Detects events that appear when a user click on a link file with a powershell command in it
Sigma rule (View on GitHub)
1title: Hidden Powershell in Link File Pattern
2id: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a
3status: test
4description: Detects events that appear when a user click on a link file with a powershell command in it
5references:
6 - https://www.x86matthew.com/view_post?id=embed_exe_lnk
7author: frack113
8date: 2022/02/06
9tags:
10 - attack.execution
11 - attack.t1059.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage: C:\Windows\explorer.exe
18 Image: C:\Windows\System32\cmd.exe
19 CommandLine|contains|all:
20 - 'powershell'
21 - '.lnk'
22 condition: selection
23falsepositives:
24 - Legitimate commands in .lnk files
25level: medium
References
-
WriteProcessMemoryAPC - Write memory to a remote process using APC calls Another alternative to WriteProcessMemory, this time by scheduling APC calls to call RtlFillMemory
Read More
Related rules
- HackTool - Covenant PowerShell Launcher
- HackTool - Empire PowerShell Launch Parameters
- Potential PowerShell Obfuscation Via WCHAR
- PowerShell DownloadFile
- Suspicious PowerShell Invocation From Script Engines