Potential DLL Sideloading Via ClassicExplorer32.dll
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Via ClassicExplorer32.dll
2id: caa02837-f659-466f-bca6-48bde2826ab4
3status: test
4description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
5references:
6 - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
7 - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
8author: frack113
9date: 2022-12-13
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1574.001
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection_classicexplorer:
20 ImageLoaded|endswith: '\ClassicExplorer32.dll'
21 filter_classicexplorer:
22 ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
23 condition: selection_classicexplorer and not filter_classicexplorer
24falsepositives:
25 - Unknown
26level: medium
References
-
APT group Mustang Panda now appears to have Europe and Asia Pacific targets in its sights. The BlackBerry Research and Intelligence team recently unearthed evidence that the group may be using global interest in the Russian-Ukraine war to deliver PlugX malware via phishing lure to unsuspecting users.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Office DLL Sideload