Explorer Process Tree Break

calendar Aug 12, 2024 · attack.defense-evasion attack.t1036  ·
Share on: linkedin copy

Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"

Sigma rule (View on GitHub)

 1title: Explorer Process Tree Break
 2id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
 3status: test
 4description: |
 5  Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
 6  which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"  
 7references:
 8    - https://twitter.com/CyberRaiju/status/1273597319322058752
 9    - https://twitter.com/bohops/status/1276357235954909188?s=12
10    - https://twitter.com/nas_bench/status/1535322450858233858
11    - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
13date: 2019-06-29
14modified: 2024-06-04
15tags:
16    - attack.defense-evasion
17    - attack.t1036
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        # See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference
24        - CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
25        # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example
26        # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique.
27        - CommandLine|contains|all|windash:
28              - 'explorer.exe'
29              - ' /root,'
30    condition: selection
31falsepositives:
32    - Unknown
33level: medium

References

  • x.com


    Read More

  • x.com


    Read More

  • x.com


    Read More

  • Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader

    Introduction For a malicious actor to compromise a system, they need to avoid being detected at the point of entry into the target’s network. Commonly, phishing emails delivering malicious attachments (T1193) serve as the initial access vector. Adversaries also need a way to execute code on target computers without tipping off automated tools and the The post Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader appeared first on Bromium.


    Read More

Related rules

to-top