Suspicious Explorer Child Process

  1[metadata]
  2creation_date = "2020/10/29"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or
 11executables from a trusted parent process.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "winlogbeat-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Suspicious Explorer Child Process"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Suspicious Explorer Child Process
 31
 32Windows Explorer, a core component of the Windows OS, manages file and folder navigation. Adversaries exploit its trusted status to launch malicious scripts or executables, often using DCOM to start processes like PowerShell or cmd.exe. The detection rule identifies such anomalies by monitoring child processes of Explorer with specific characteristics, excluding known benign activities, to flag potential threats.
 33
 34### Possible investigation steps
 35
 36- Review the process details to confirm the suspicious child process was indeed started by explorer.exe with the specific parent arguments indicating DCOM usage, such as "-Embedding".
 37- Check the process command line arguments and execution context to identify any potentially malicious scripts or commands being executed by the child process.
 38- Investigate the parent process explorer.exe to determine if it was started by a legitimate user action or if there are signs of compromise, such as unusual user activity or recent phishing attempts.
 39- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns.
 40- Examine the network activity associated with the suspicious process to detect any unauthorized data exfiltration or communication with known malicious IP addresses.
 41- Assess the system for any additional indicators of compromise, such as unexpected changes in system files or registry keys, which might suggest a broader attack.
 42
 43### False positive analysis
 44
 45- Legitimate software installations or updates may trigger the rule when they use scripts or executables like PowerShell or cmd.exe. Users can create exceptions for known software update processes by identifying their specific command-line arguments or parent process details.
 46- System administrators often use scripts for maintenance tasks that might be flagged by this rule. To prevent false positives, administrators should document and exclude these routine scripts by specifying their unique process arguments or execution times.
 47- Some enterprise applications may use DCOM to launch processes for legitimate purposes. Users should identify these applications and exclude their specific process signatures or parent-child process relationships from the rule.
 48- Automated testing environments might execute scripts or commands that resemble suspicious activity. Users can mitigate false positives by excluding processes that are part of known testing frameworks or environments.
 49- Certain security tools or monitoring software may use similar techniques to gather system information. Users should verify and exclude these tools by confirming their process names and execution patterns.
 50
 51### Response and remediation
 52
 53- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
 54- Terminate the suspicious child process identified in the alert, such as cscript.exe, wscript.exe, powershell.exe, rundll32.exe, cmd.exe, mshta.exe, or regsvr32.exe, to stop any ongoing malicious actions.
 55- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes.
 56- Review and analyze the parent process explorer.exe and its command-line arguments to understand how the malicious process was initiated and to identify any potential persistence mechanisms.
 57- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.
 58- Implement additional monitoring and alerting for similar suspicious activities involving explorer.exe to enhance detection capabilities and prevent recurrence.
 59- Review and update endpoint security policies to restrict the execution of potentially malicious scripts or executables from explorer.exe, especially when initiated via DCOM."""
 60risk_score = 47
 61rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b"
 62severity = "medium"
 63tags = [
 64    "Domain: Endpoint",
 65    "OS: Windows",
 66    "Use Case: Threat Detection",
 67    "Tactic: Initial Access",
 68    "Tactic: Defense Evasion",
 69    "Tactic: Execution",
 70    "Data Source: Elastic Endgame",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Sysmon",
 73    "Data Source: Microsoft Defender for Endpoint",
 74    "Data Source: SentinelOne",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81process where host.os.type == "windows" and event.type == "start" and
 82  (
 83   process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or
 84   ?process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE")
 85  ) and
 86  /* Explorer started via DCOM */
 87  process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and
 88  not process.parent.args:
 89          (
 90            /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs   */
 91            "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}",
 92            "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}"
 93          )
 94'''
 95
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1566"
101name = "Phishing"
102reference = "https://attack.mitre.org/techniques/T1566/"
103[[rule.threat.technique.subtechnique]]
104id = "T1566.001"
105name = "Spearphishing Attachment"
106reference = "https://attack.mitre.org/techniques/T1566/001/"
107
108[[rule.threat.technique.subtechnique]]
109id = "T1566.002"
110name = "Spearphishing Link"
111reference = "https://attack.mitre.org/techniques/T1566/002/"
112
113
114
115[rule.threat.tactic]
116id = "TA0001"
117name = "Initial Access"
118reference = "https://attack.mitre.org/tactics/TA0001/"
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1059"
123name = "Command and Scripting Interpreter"
124reference = "https://attack.mitre.org/techniques/T1059/"
125[[rule.threat.technique.subtechnique]]
126id = "T1059.001"
127name = "PowerShell"
128reference = "https://attack.mitre.org/techniques/T1059/001/"
129
130[[rule.threat.technique.subtechnique]]
131id = "T1059.003"
132name = "Windows Command Shell"
133reference = "https://attack.mitre.org/techniques/T1059/003/"
134
135[[rule.threat.technique.subtechnique]]
136id = "T1059.005"
137name = "Visual Basic"
138reference = "https://attack.mitre.org/techniques/T1059/005/"
139
140
141
142[rule.threat.tactic]
143id = "TA0002"
144name = "Execution"
145reference = "https://attack.mitre.org/tactics/TA0002/"
146[[rule.threat]]
147framework = "MITRE ATT&CK"
148[[rule.threat.technique]]
149id = "T1218"
150name = "System Binary Proxy Execution"
151reference = "https://attack.mitre.org/techniques/T1218/"
152
153
154[rule.threat.tactic]
155id = "TA0005"
156name = "Defense Evasion"
157reference = "https://attack.mitre.org/tactics/TA0005/"