Need (XQL) BIOC Rule for starting CMD/Powershell through LNK Files

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need (XQL) BIOC Rule for starting CMD/Powershell through LNK Files

L4 Transporter

Hello dear Community, 

 

as you know a very common attack is loading code directly to memory. This happens sometimes through a LNK File or Office Macros. 

In my case I want to hunt for LNK Files, which were doubleclicked and a cmd or powershell was started. As I queried my test process (LNK --> powershell --> cmd = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c cmd.exe), there is no indicator, that the powershell was started through a link file. 

What am I missing in my plan to hunt for these? Has someone a ready to hunt query?

 

BR

 

Rob

2 REPLIES 2

L5 Sessionator

Hello Rob,

 

Thank you for writing to live community!

 

My I know, whether you have tested or reproduced the scenario  or is they any activity in your environment to hunt with the given command?

 

Regards.

 

Ashutosh Patil

Hello @aspatil

 

I try to hunt these, because as you know, this is an common attack scenario where the adversaries want to load their skripts direct into memory. 

I just want to know, if there is a possibility to hunt for these ones. 

 

BR

 

Rob

  • 1013 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!