
Summary
This detection rule focuses on identifying a specific method of launching the Windows File Explorer to open the 'My Computer' folder using command-line operations. It captures instances where `cmd.exe`, `powershell.exe`, or `pwsh.exe` are the parent processes that trigger `explorer.exe` to execute with the command line argument set to `shell:mycomputerfolder`. This behavior can be indicative of script-based attacks or unauthorized access attempts, as it leverages typical Windows commands to manipulate system file browsing. Given its focus on parent-child process relationships, the rule is capable of highlighting activities that may go unnoticed by more general monitoring systems, particularly in environments where scripts or command-line interfaces are commonly used for administrative tasks.
Categories
- Windows
- Endpoint
Data Sources
- Process
Created: 2022-12-22