Suspicious CustomShellHost Execution

 1title: Suspicious CustomShellHost Execution
 2id: 84b14121-9d14-416e-800b-f3b829c5a14d
 3status: test
 4description: Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe'
 5references:
 6    - https://github.com/LOLBAS-Project/LOLBAS/pull/180
 7    - https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/08/19
10tags:
11    - attack.defense_evasion
12    - attack.t1216
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith: '\CustomShellHost.exe'
19    filter:
20        Image: 'C:\Windows\explorer.exe'
21    condition: selection and not filter
22falsepositives:
23    - Unknown
24level: medium

References

• Adding CustomShellHost.exe LOLBAS by wietze · Pull Request #180 · LOLBAS-Project/LOLBAS

  

  Tested on Windows 11, can confirm it works as described.

  
  Read More

• Customshellhost | LOLBAS

  Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) if present in the current working folder. CustomShellHost.exe Use caseCan be used to evade defensive counter-measures Pr...

  
  Read More

Related rules

• Execute Code with Pester.bat as Parent
• Suspicious Sigverif Execution
• SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
• UtilityFunctions.ps1 Proxy Dll
• Potential Script Proxy Execution Via CL_Mutexverifiers.ps1