Suspicious CustomShellHost Execution
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
Sigma rule (View on GitHub)
1title: Suspicious CustomShellHost Execution
2id: 84b14121-9d14-416e-800b-f3b829c5a14d
3status: test
4description: |
5 Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
6references:
7 - https://github.com/LOLBAS-Project/LOLBAS/pull/180
8 - https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-08-19
11modified: 2025-10-29
12tags:
13 - attack.defense-evasion
14 - attack.t1216
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\CustomShellHost.exe'
21 filter_main_explorer:
22 Image: 'C:\Windows\explorer.exe'
23 condition: selection and not 1 of filter_main_*
24falsepositives:
25 - False positives are unlikely, investigate matches carefully.
26level: high
References
-
-
CustomShellHost.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Uncommon Sigverif.EXE Child Process
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- Assembly Loading Via CL_LoadAssembly.ps1
- Execute Code with Pester.bat