Detects the initial execution of “cmd.exe” which spawns “explorer.exe” with the appropriate command line arguments for opening the “My Computer” folder.
title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
status: test
description: |
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
author: '@Kostastsale'
references:
- https://ss64.com/nt/shell.html
date: 2022-12-22
modified: 2024-08-23
tags:
- attack.discovery
- attack.t1135
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\explorer.exe'
CommandLine|contains: 'shell:mycomputerfolder'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml
imProcessCreate
| where ((ParentProcessName endswith "\\cmd.exe" or ParentProcessName endswith "\\powershell.exe" or ParentProcessName endswith "\\pwsh.exe") or (ActingProcessName endswith "\\cmd.exe" or ActingProcessName endswith "\\powershell.exe" or ActingProcessName endswith "\\pwsh.exe")) and TargetProcessName endswith "\\explorer.exe" and TargetProcessCommandLine contains "shell:mycomputerfolder"| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |