Using explorer.exe to open a file explorer folder via command prompt

calendar Dec 22, 2022 · attack.Discovery attack.T1135  ·
Share on: linkedin copy

Detects the initial execution of cmd.exe which spawns explorer.exe with the appropriate command line arguments for opening the My Computer folder.

Sigma rule (View on GitHub)

 1title: Using explorer.exe to open a file explorer folder via command prompt
 2status: Experimental
 3description: Detects the initial execution of cmd.exe which spawns explorer.exe with the appropriate command line arguments for opening the My Computer folder. 
 4author: '@Kostastsale'
 5references: 
 6  - 
 7date: 2022/12/22
 8logsource:
 9  product: windows
10  category: process_creation
11detection:
12  selection1:
13    ParentImage|endswith: 
14      - '\cmd.exe'
15      - '\powershell.exe'
16  selection2:
17    Image|endswith: 
18      - '\explorer.exe'
19    CommandLine|contains:
20      - 'explorer.exe shell:mycomputerfolder'
21  condition: selection1 and selection2
22falsepositives:
23  - Uknown
24level: high
25tags:
26  - attack.Discovery
27  - attack.T1135```
to-top