Detectionmediumtest

Hidden Powershell in Link File Pattern

Detects events that appear when a user click on a link file with a powershell command in it

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sun Feb 0630e92f50-bb5a-4884-98b5-d20aa80f3d7awindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage: C:\Windows\explorer.exe
        Image: C:\Windows\System32\cmd.exe
        CommandLine|contains|all:
            - 'powershell'
            - '.lnk'
    condition: selection

False Positives

Legitimate commands in .lnk files

References

Resolving title…

x86matthew.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.001 · PowerShell

Rule Metadata

Rule ID

30e92f50-bb5a-4884-98b5-d20aa80f3d7a

Status

test

Level

medium

Type

Detection

Created

Sun Feb 06

Author

François Hubaut

Path

rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml

Raw Tags

attack.executionattack.t1059.001

View on GitHub