File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell | Standard | Windows | Discovery: Network Share Discovery (T1135) | Trouble |
About the rule
Rule Type
Standard
Rule Description
explorer.exe is the default Windows process used for browsing files and folders. Attackers may exploit folder shortcut (.lnk) files using specific Shell commands to execute explorer.exe in a way that bypasses traditional user workflows. This technique can enable initial code execution, load malicious files, or establish persistence. This rule detects suspicious instances where File Explorer is launched using shortcut files via the Shell, particularly with unusual arguments or targeting sensitive locations.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Delivery of malicious shortcut file → Execution (user double-click/LNK autorun) → Abuse of explorer.exe via Shell → Impact
Impact
- Execution of unauthorized commands
- Malware or script deployment
- Persistence mechanism
- Lateral movement
- User impersonation and privilege escalation
Rule Requirement
Prerequisites
Use the Group Policy Management Console to audit process creation and process termination.
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.
Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.
Criteria
Action1: actionname = "Process started" AND PARENTPROCESSNAME endswith "\cmd.exe,\powershell.exe,\pwsh.exe" AND PROCESSNAME endswith "\explorer.exe" AND COMMANDLINE contains "shell:mycomputerfolder" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Discovery: Network Share Discovery (T1135)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-01: Networks and network services are monitored to find potentially adverse events.
When this rule is triggered, you’re notified of File Explorer instances opened using shortcut files through the Shell. This enables you to review invocation arguments, analyze the context of the opened folder, and identify potential abuse of shortcut or Shell commands
Author
@Kostastsale
Future actions
Known False Positives
Legitimate administrative scripts or software deployment tools may use folder shortcuts for workflow automation. Review details of the shortcut targets, user context, and command-line arguments to distinguish benign uses.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Reconfiguration: Update monitoring rules or allowlists to better differentiate between authorized administrative actions and potential attacker workflows, and continue monitoring for recurrence.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1028 |
| Enable Windows Group Policy “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares” security setting to limit users who can enumerate network shares.(Citation: Windows Anonymous Enumeration of SAM Accounts) |
