Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
Sigma rule (View on GitHub)
1title: Custom File Open Handler Executes PowerShell
2id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc
3status: test
4description: Detects the abuse of custom file open handler, executing powershell
5references:
6 - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
7author: CD_R0M_
8date: 2022-06-11
9modified: 2023-08-17
10tags:
11 - attack.defense-evasion
12 - attack.t1202
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: 'shell\open\command\'
19 Details|contains|all:
20 - 'powershell'
21 - '-command'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Inserting custom file handling rules for a randomly-created file extension and a .LNK in Windows’ startup folder, malware installer created a stealthy persistence mechanism for backdoor.
Read More
Related rules
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Findstr Launching .lnk File
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Inline Command Execution Via Bash.EXE
- Potential Arbitrary Command Execution Using Msdt.EXE