← Back to SOC feed Coverage →

Hidden Powershell in Link File Pattern

sigma MEDIUM SigmaHQ
T1059.001
imProcessCreate
powershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-21T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects events that appear when a user click on a link file with a powershell command in it

Detection Rule

Sigma (Original)

title: Hidden Powershell in Link File Pattern
id: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a
status: test
description: Detects events that appear when a user click on a link file with a powershell command in it
references:
    - https://www.x86matthew.com/view_post?id=embed_exe_lnk
author: frack113
date: 2022-02-06
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage: C:\Windows\explorer.exe
        Image: C:\Windows\System32\cmd.exe
        CommandLine|contains|all:
            - 'powershell'
            - '.lnk'
    condition: selection
falsepositives:
    - Legitimate commands in .lnk files
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName =~ "C:\\Windows\\explorer.exe" or ActingProcessName =~ "C:\\Windows\\explorer.exe") and TargetProcessName =~ "C:\\Windows\\System32\\cmd.exe" and (TargetProcessCommandLine contains "powershell" and TargetProcessCommandLine contains ".lnk")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml