Potential DLL Sideloading Via ClassicExplorer32.dll
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Via ClassicExplorer32.dll
2id: caa02837-f659-466f-bca6-48bde2826ab4
3status: test
4description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
5references:
6 - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
7 - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
8author: frack113
9date: 2022-12-13
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1574.001
15 - attack.t1574.002
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection_classicexplorer:
21 ImageLoaded|endswith: '\ClassicExplorer32.dll'
22 filter_classicexplorer:
23 ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
24 condition: selection_classicexplorer and not filter_classicexplorer
25falsepositives:
26 - Unknown
27level: medium
References
-
APT group Mustang Panda now appears to have Europe and Asia Pacific targets in its sights. The BlackBerry Research and Intelligence team recently unearthed evidence that the group may be using global interest in the Russian-Ukraine war to deliver PlugX malware via phishing lure to unsuspecting users.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Sideloading Of ShellChromeAPI.DLL
- Microsoft Office DLL Sideload
- Potential 7za.DLL Sideloading
- Potential Antivirus Software DLL Sideloading