From fbb2fb261f4226b7a12d1ca0cf45d8de649a734c Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Mon, 2 Feb 2026 18:45:59 +0100
Subject: [PATCH] feat(rules): Add Process execution from compressed file via
 Explorer rule

Detects child processes commonly used for code execution that are spawned from compressed files when initiated from Windows Explorer. Adversaries can leverage archives to deliver malicious executables and scripts for execution.
---
 ...tion_from_compressed_file_via_explorer.yml | 73 +++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 rules/execution_process_execution_from_compressed_file_via_explorer.yml

diff --git a/rules/execution_process_execution_from_compressed_file_via_explorer.yml b/rules/execution_process_execution_from_compressed_file_via_explorer.yml
new file mode 100644
index 000000000..5652fa102
--- /dev/null
+++ b/rules/execution_process_execution_from_compressed_file_via_explorer.yml
@@ -0,0 +1,73 @@
+name: Process execution from compressed file via Explorer
+id: e4f373a0-1fe3-42a5-bca6-b465e930713f
+version: 1.0.0
+description: |
+  Detects child processes commonly used for code execution that are spawned
+  from compressed files when initiated from Windows Explorer. Adversaries can
+  leverage archives to deliver malicious executables and scripts for execution.
+labels:
+  tactic.id: TA0002
+  tactic.name: Execution
+  tactic.ref: https://attack.mitre.org/tactics/TA0002/
+  technique.id: T1204
+  technique.name: User Execution 
+  technique.ref: https://attack.mitre.org/techniques/T1204/
+  subtechnique.id: T1204.002
+  subtechnique.name: Malicious File
+  subtechnique.ref: https://attack.mitre.org/techniques/T1204/002/
+
+condition: >
+  spawn_process and (ps.parent.name ~= 'explorer.exe' or ps.ancestor iin ('explorer.exe')) and
+  thread.callstack.summary imatches
+                          (
+                            '*zipfldr.dll*',
+                            'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|7z*.exe|*',
+                            'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|WinRar.exe|*'
+                          ) and
+  (ps.name iin
+          (
+            'rundll32.exe',
+            'regsvr32.exe',
+            'wscript.exe',
+            'cscript.exe',
+            'certutil.exe',
+            'cmstp.exe',
+            'mshta.exe',
+            'msxsl.exe',
+            'RegAsm.exe',
+            'installutil.exe',
+            'powershell.exe',
+            'cmd.exe',
+            'msbuild.exe',
+            'AppLaunch.exe',
+            'AddInUtil.exe',
+            'AddInProcess.exe'
+          ) or
+   ps.pe.file.name iin
+          (
+            'rundll32.exe',
+            'regsvr32.exe',
+            'wscript.exe',
+            'cscript.exe',
+            'certutil.exe',
+            'cmstp.exe',
+            'mshta.exe',
+            'msxsl.exe',
+            'RegAsm.exe',
+            'installutil.exe',
+            'powershell.exe',
+            'cmd.exe',
+            'msbuild.exe',
+            'AppLaunch.exe',
+            'AddInUtil.exe',
+            'AddInProcess.exe'
+          )
+  )
+action:
+  - name: kill
+
+output: >
+  Suspicious process %ps.exe executed from compressed file via Windows Explorer
+severity: high
+
+min-engine-version: 3.0.0