sigmahighHunting

File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell

Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.

MITRE ATT&CK

T1135

discovery

Detection Query

selection:
  ParentImage|endswith:
    - \cmd.exe
    - \powershell.exe
    - \pwsh.exe
  Image|endswith: \explorer.exe
  CommandLine|contains: shell:mycomputerfolder
condition: selection

Author

@Kostastsale

Created

2022-12-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://ss64.com/nt/shell.html

Tags

attack.discoveryattack.t1135

Raw Content

title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
status: test
description: |
    Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
author: '@Kostastsale'
references:
    - https://ss64.com/nt/shell.html
date: 2022-12-22
modified: 2024-08-23
tags:
    - attack.discovery
    - attack.t1135
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith: '\explorer.exe'
        CommandLine|contains: 'shell:mycomputerfolder'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml