Potential DLL Sideloading Via ClassicExplorer32.dll

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Sigma rule (View on GitHub)

 1title: Potential DLL Sideloading Via ClassicExplorer32.dll
 2id: caa02837-f659-466f-bca6-48bde2826ab4
 3status: test
 4description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
 5references:
 6    - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
 7    - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
 8author: frack113
 9date: 2022-12-13
10tags:
11    - attack.defense-evasion
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.t1574.001
15    - attack.t1574.002
16logsource:
17    category: image_load
18    product: windows
19detection:
20    selection_classicexplorer:
21        ImageLoaded|endswith: '\ClassicExplorer32.dll'
22    filter_classicexplorer:
23        ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
24    condition: selection_classicexplorer and not filter_classicexplorer
25falsepositives:
26    - Unknown
27level: medium

References

Related rules

to-top