Potential DLL Sideloading Via ClassicExplorer32.dll
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Via ClassicExplorer32.dll
2id: caa02837-f659-466f-bca6-48bde2826ab4
3status: test
4description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
5references:
6 - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
7 - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
8author: frack113
9date: 2022/12/13
10tags:
11 - attack.defense_evasion
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1574.001
15 - attack.t1574.002
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection_classicexplorer:
21 ImageLoaded|endswith: '\ClassicExplorer32.dll'
22 filter_classicexplorer:
23 ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
24 condition: selection_classicexplorer and not filter_classicexplorer
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- DLL Sideloading Of ShellChromeAPI.DLL
- Potential DLL Sideloading Via JsSchHlp
- Potential DLL Sideloading Via comctl32.dll
- VMGuestLib DLL Sideload
- VMMap Signed Dbghelp.DLL Potential Sideloading