
Summary
This detection rule identifies potentially malicious behavior associated with the execution of PowerShell commands embedded within Windows link (.lnk) files. When a user clicks on a link file that contains a PowerShell command, it typically spawns a new command shell, which can potentially be used to execute harmful scripts or commands. The rule specifically looks for instances where the parent process is Explorer.exe, indicating that the user has interacted with the file, and the executed command is cmd.exe with the command line containing both 'powershell' and '.lnk'. This rule is valuable in identifying execution patterns that could be indicative of an attack utilizing PowerShell via malicious link files.
Categories
- Windows
- Endpoint
Data Sources
- Process
Created: 2022-02-06