Proxy Execution Via Explorer.exe
Attackers can use explorer.exe for evading defense mechanisms
Sigma rule (View on GitHub)
1title: Proxy Execution Via Explorer.exe
2id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
3status: test
4description: Attackers can use explorer.exe for evading defense mechanisms
5references:
6 - https://twitter.com/CyberRaiju/status/1273597319322058752
7author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
8date: 2020/10/05
9modified: 2021/11/27
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\explorer.exe'
19 ParentImage|endswith: '\cmd.exe'
20 CommandLine|contains: 'explorer.exe'
21 condition: selection
22falsepositives:
23 - Legitimate explorer.exe run from cmd.exe
24level: low
References
Related rules
- Devtoolslauncher.exe Executes Specified Binary
- Execution via stordiag.exe
- InfDefaultInstall.exe .inf Execution
- Abusing Print Executable
- MpiExec Lolbin