Using explorer.exe to open a file explorer folder via command prompt

calendar Aug 10, 2024 · attack.Discovery attack.T1135  ·
Share on: linkedin copy

Detects the initial execution of cmd.exe which spawns explorer.exe with the appropriate command line arguments for opening the My Computer folder.

Sigma rule (View on GitHub)

 1title: Using explorer.exe to open a file explorer folder via command prompt
 2id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
 3status: Experimental
 4description: Detects the initial execution of cmd.exe which spawns explorer.exe with the appropriate command line arguments for opening the My Computer folder. 
 5author: '@Kostastsale'
 6references: 
 7  - 
 8date: 2022/12/22
 9logsource:
10  product: windows
11  category: process_creation
12detection:
13  selection1:
14    ParentImage|endswith: 
15      - '\cmd.exe'
16      - '\powershell.exe'
17  selection2:
18    Image|endswith: 
19      - '\explorer.exe'
20    CommandLine|contains:
21      - 'explorer.exe shell:mycomputerfolder'
22  condition: selection1 and selection2
23falsepositives:
24  - Uknown
25level: high
26tags:
27  - attack.Discovery
28  - attack.T1135```
to-top