Explorer Process Tree Break
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
Sigma rule (View on GitHub)
1title: Explorer Process Tree Break
2id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
3status: test
4description: |
5 Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
6 which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
7references:
8 - https://twitter.com/CyberRaiju/status/1273597319322058752
9 - https://twitter.com/bohops/status/1276357235954909188?s=12
10 - https://twitter.com/nas_bench/status/1535322450858233858
11 - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
13date: 2019-06-29
14modified: 2025-10-31
15tags:
16 - attack.defense-evasion
17 - attack.t1036
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 # Note: See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference
23 selection_factory:
24 CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
25 selection_root:
26 CommandLine|contains: 'explorer.exe'
27 CommandLine|contains|windash: ' /root,'
28 # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example
29 # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique.
30 condition: 1 of selection_*
31falsepositives:
32 - Unknown
33level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Introduction For a malicious actor to compromise a system, they need to avoid being detected at the point of entry into the target’s network. Commonly, phishing emails delivering malicious attachments (T1193) serve as the initial access vector. Adversaries also need a way to execute code on target computers without tipping off automated tools and the The post Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader appeared first on Bromium.
Read More
Related rules
- Renamed ZOHO Dctask64 Execution
- Suspicious Computer Account Name Change CVE-2021-42287
- Potential LSASS Process Dump Via Procdump
- System File Execution Location Anomaly
- Windows Binaries Write Suspicious Extensions