add win_pc_embed_exe_lnk
This commit is contained in:
frack113
@@ -0,0 +1,25 @@
|
||||
title: Hide a Powershell Script In a Link File
|
||||
id: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a
|
||||
status: experimental
|
||||
description: This is created when a user click on a lnk file with a powershell hide into it
|
||||
author: frack113
|
||||
date: 2022/02/06
|
||||
references:
|
||||
- https://www.x86matthew.com/view_post?id=embed_exe_lnk
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
ParentImage: C:\Windows\explorer.exe
|
||||
Image: C:\Windows\System32\cmd.exe
|
||||
CommandLine|contains|all:
|
||||
- 'powershell'
|
||||
- '.lnk'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
level: medium
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
Reference in New Issue
Block a user