Potential DLL Sideloading Via ClassicExplorer32.dll
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Via ClassicExplorer32.dll
2id: caa02837-f659-466f-bca6-48bde2826ab4
3status: test
4description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
5references:
6 - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
7 - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
8author: frack113
9date: 2022/12/13
10tags:
11 - attack.defense_evasion
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1574.001
15 - attack.t1574.002
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection_classicexplorer:
21 ImageLoaded|endswith: '\ClassicExplorer32.dll'
22 filter_classicexplorer:
23 ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
24 condition: selection_classicexplorer and not filter_classicexplorer
25falsepositives:
26 - Unknown
27level: medium
References
-
APT group Mustang Panda now appears to have Europe and Asia Pacific targets in its sights. The BlackBerry Research and Intelligence team recently unearthed evidence that the group may be using global interest in the Russian-Ukraine war to deliver PlugX malware via phishing lure to unsuspecting users.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- DLL Sideloading Of ShellChromeAPI.DLL
- Potential DLL Sideloading Via JsSchHlp
- Potential DLL Sideloading Via comctl32.dll
- VMGuestLib DLL Sideload
- VMMap Signed Dbghelp.DLL Potential Sideloading