Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
Sigma rule (View on GitHub)
1title: Custom File Open Handler Executes PowerShell
2id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc
3status: experimental
4description: Detects the abuse of custom file open handler, executing powershell
5references:
6 - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
7author: CD_R0M_
8date: 2022/06/11
9modified: 2023/08/17
10tags:
11 - attack.defense_evasion
12 - attack.t1202
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: 'shell\open\command\'
19 Details|contains|all:
20 - 'powershell'
21 - '-command'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Inserting custom file handling rules for a randomly-created file extension and a .LNK in Windows’ startup folder, malware installer created a stealthy persistence mechanism for backdoor.
Read More
Related rules
- WSL Child Process Anomaly
- LOLBIN Execution Of The FTP.EXE Binary
- Arbitrary Command Execution Using WSL
- Potential Arbitrary DLL Load Using Winword
- Suspicious Splwow64 Without Params