Suspicious Explorer Child Process

Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/10/29"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or
 13executables from a trusted parent process.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious Explorer Child Process"
 20risk_score = 47
 21rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Initial Access",
 28    "Tactic: Defense Evasion",
 29    "Tactic: Execution",
 30    "Data Source: Elastic Endgame",
 31    "Data Source: Elastic Defend",
 32    "Data Source: Sysmon",
 33    "Data Source: Microsoft Defender for Endpoint",
 34    "Data Source: SentinelOne",
 35    "Resources: Investigation Guide",
 36]
 37timestamp_override = "event.ingested"
 38type = "eql"
 39
 40query = '''
 41process where host.os.type == "windows" and event.type == "start" and
 42  (
 43   process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or
 44   ?process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE")
 45  ) and
 46  /* Explorer started via DCOM */
 47  process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and
 48  not process.parent.args:
 49          (
 50            /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs   */
 51            "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}",
 52            "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}"
 53          )
 54'''
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Suspicious Explorer Child Process
 61
 62Windows Explorer, a core component of the Windows OS, manages file and folder navigation. Adversaries exploit its trusted status to launch malicious scripts or executables, often using DCOM to start processes like PowerShell or cmd.exe. The detection rule identifies such anomalies by monitoring child processes of Explorer with specific characteristics, excluding known benign activities, to flag potential threats.
 63
 64### Possible investigation steps
 65
 66- Review the process details to confirm the suspicious child process was indeed started by explorer.exe with the specific parent arguments indicating DCOM usage, such as "-Embedding".
 67- Check the process command line arguments and execution context to identify any potentially malicious scripts or commands being executed by the child process.
 68- Investigate the parent process explorer.exe to determine if it was started by a legitimate user action or if there are signs of compromise, such as unusual user activity or recent phishing attempts.
 69- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns.
 70- Examine the network activity associated with the suspicious process to detect any unauthorized data exfiltration or communication with known malicious IP addresses.
 71- Assess the system for any additional indicators of compromise, such as unexpected changes in system files or registry keys, which might suggest a broader attack.
 72
 73### False positive analysis
 74
 75- Legitimate software installations or updates may trigger the rule when they use scripts or executables like PowerShell or cmd.exe. Users can create exceptions for known software update processes by identifying their specific command-line arguments or parent process details.
 76- System administrators often use scripts for maintenance tasks that might be flagged by this rule. To prevent false positives, administrators should document and exclude these routine scripts by specifying their unique process arguments or execution times.
 77- Some enterprise applications may use DCOM to launch processes for legitimate purposes. Users should identify these applications and exclude their specific process signatures or parent-child process relationships from the rule.
 78- Automated testing environments might execute scripts or commands that resemble suspicious activity. Users can mitigate false positives by excluding processes that are part of known testing frameworks or environments.
 79- Certain security tools or monitoring software may use similar techniques to gather system information. Users should verify and exclude these tools by confirming their process names and execution patterns.
 80
 81### Response and remediation
 82
 83- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
 84- Terminate the suspicious child process identified in the alert, such as cscript.exe, wscript.exe, powershell.exe, rundll32.exe, cmd.exe, mshta.exe, or regsvr32.exe, to stop any ongoing malicious actions.
 85- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes.
 86- Review and analyze the parent process explorer.exe and its command-line arguments to understand how the malicious process was initiated and to identify any potential persistence mechanisms.
 87- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.
 88- Implement additional monitoring and alerting for similar suspicious activities involving explorer.exe to enhance detection capabilities and prevent recurrence.
 89- Review and update endpoint security policies to restrict the execution of potentially malicious scripts or executables from explorer.exe, especially when initiated via DCOM."""
 90
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94[[rule.threat.technique]]
 95id = "T1566"
 96name = "Phishing"
 97reference = "https://attack.mitre.org/techniques/T1566/"
 98[[rule.threat.technique.subtechnique]]
 99id = "T1566.001"
100name = "Spearphishing Attachment"
101reference = "https://attack.mitre.org/techniques/T1566/001/"
102
103[[rule.threat.technique.subtechnique]]
104id = "T1566.002"
105name = "Spearphishing Link"
106reference = "https://attack.mitre.org/techniques/T1566/002/"
107
108
109
110[rule.threat.tactic]
111id = "TA0001"
112name = "Initial Access"
113reference = "https://attack.mitre.org/tactics/TA0001/"
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1059"
118name = "Command and Scripting Interpreter"
119reference = "https://attack.mitre.org/techniques/T1059/"
120[[rule.threat.technique.subtechnique]]
121id = "T1059.001"
122name = "PowerShell"
123reference = "https://attack.mitre.org/techniques/T1059/001/"
124
125[[rule.threat.technique.subtechnique]]
126id = "T1059.003"
127name = "Windows Command Shell"
128reference = "https://attack.mitre.org/techniques/T1059/003/"
129
130[[rule.threat.technique.subtechnique]]
131id = "T1059.005"
132name = "Visual Basic"
133reference = "https://attack.mitre.org/techniques/T1059/005/"
134
135
136
137[rule.threat.tactic]
138id = "TA0002"
139name = "Execution"
140reference = "https://attack.mitre.org/tactics/TA0002/"
141[[rule.threat]]
142framework = "MITRE ATT&CK"
143[[rule.threat.technique]]
144id = "T1218"
145name = "System Binary Proxy Execution"
146reference = "https://attack.mitre.org/techniques/T1218/"
147
148
149[rule.threat.tactic]
150id = "TA0005"
151name = "Defense Evasion"
152reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Suspicious Explorer Child Process

Windows Explorer, a core component of the Windows OS, manages file and folder navigation. Adversaries exploit its trusted status to launch malicious scripts or executables, often using DCOM to start processes like PowerShell or cmd.exe. The detection rule identifies such anomalies by monitoring child processes of Explorer with specific characteristics, excluding known benign activities, to flag potential threats.

Possible investigation steps

  • Review the process details to confirm the suspicious child process was indeed started by explorer.exe with the specific parent arguments indicating DCOM usage, such as "-Embedding".
  • Check the process command line arguments and execution context to identify any potentially malicious scripts or commands being executed by the child process.
  • Investigate the parent process explorer.exe to determine if it was started by a legitimate user action or if there are signs of compromise, such as unusual user activity or recent phishing attempts.
  • Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns.
  • Examine the network activity associated with the suspicious process to detect any unauthorized data exfiltration or communication with known malicious IP addresses.
  • Assess the system for any additional indicators of compromise, such as unexpected changes in system files or registry keys, which might suggest a broader attack.

False positive analysis

  • Legitimate software installations or updates may trigger the rule when they use scripts or executables like PowerShell or cmd.exe. Users can create exceptions for known software update processes by identifying their specific command-line arguments or parent process details.
  • System administrators often use scripts for maintenance tasks that might be flagged by this rule. To prevent false positives, administrators should document and exclude these routine scripts by specifying their unique process arguments or execution times.
  • Some enterprise applications may use DCOM to launch processes for legitimate purposes. Users should identify these applications and exclude their specific process signatures or parent-child process relationships from the rule.
  • Automated testing environments might execute scripts or commands that resemble suspicious activity. Users can mitigate false positives by excluding processes that are part of known testing frameworks or environments.
  • Certain security tools or monitoring software may use similar techniques to gather system information. Users should verify and exclude these tools by confirming their process names and execution patterns.

Response and remediation

  • Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
  • Terminate the suspicious child process identified in the alert, such as cscript.exe, wscript.exe, powershell.exe, rundll32.exe, cmd.exe, mshta.exe, or regsvr32.exe, to stop any ongoing malicious actions.
  • Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes.
  • Review and analyze the parent process explorer.exe and its command-line arguments to understand how the malicious process was initiated and to identify any potential persistence mechanisms.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.
  • Implement additional monitoring and alerting for similar suspicious activities involving explorer.exe to enhance detection capabilities and prevent recurrence.
  • Review and update endpoint security policies to restrict the execution of potentially malicious scripts or executables from explorer.exe, especially when initiated via DCOM.

Related rules

to-top