Techniques
Sample rules
Hidden Powershell in Link File Pattern
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects events that appear when a user click on a link file with a powershell command in it
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- powershell
- .lnk
Image: C:\Windows\System32\cmd.exe
ParentImage: C:\Windows\explorer.exe