Proxy Execution Via Explorer.exe

calendar Mar 5, 2023 · attack.defense_evasion attack.t1218  ·
Share on: linkedin copy

Attackers can use explorer.exe for evading defense mechanisms

Sigma rule (View on GitHub)

 1title: Proxy Execution Via Explorer.exe
 2id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
 3status: test
 4description: Attackers can use explorer.exe for evading defense mechanisms
 5references:
 6    - https://twitter.com/CyberRaiju/status/1273597319322058752
 7author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
 8date: 2020/10/05
 9modified: 2021/11/27
10tags:
11    - attack.defense_evasion
12    - attack.t1218
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\explorer.exe'
19        ParentImage|endswith: '\cmd.exe'
20        CommandLine|contains: 'explorer.exe'
21    condition: selection
22falsepositives:
23    - Legitimate explorer.exe run from cmd.exe
24level: low

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top