| sigma |
sysmon_suspicious_remote_thread.yml |
- '\explorer.exe' |
DRL 1.0 |
| sigma |
file_event_win_creation_system_file.yml |
- '\explorer.exe' |
DRL 1.0 |
| sigma |
image_load_uipromptforcreds_dlls.yml |
- 'C:\Windows\explorer.exe' |
DRL 1.0 |
| sigma |
image_load_wmi_module_load.yml |
- '\explorer.exe' |
DRL 1.0 |
| sigma |
proc_access_win_cred_dump_lsass_access.yml |
SourceImage\|endswith: '\explorer.exe' |
DRL 1.0 |
| sigma |
proc_access_win_in_memory_assembly_execution.yml |
- 'C:\Windows\explorer.exe' |
DRL 1.0 |
| sigma |
proc_access_win_in_memory_assembly_execution.yml |
- 'C:\WINDOWS\Explorer.EXE' |
DRL 1.0 |
| sigma |
proc_access_win_in_memory_assembly_execution.yml |
- 'C:\WINDOWS\explorer.exe' |
DRL 1.0 |
| sigma |
proc_access_win_in_memory_assembly_execution.yml |
TargetImage: 'C:\Windows\Explorer.EXE' |
DRL 1.0 |
| sigma |
proc_creation_win_embed_exe_lnk.yml |
ParentImage: C:\Windows\explorer.exe |
DRL 1.0 |
| sigma |
proc_creation_win_impacket_lateralization.yml |
# runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe |
DRL 1.0 |
| sigma |
proc_creation_win_impacket_lateralization.yml |
- '\explorer.exe' # dcomexec ShellBrowserWindow |
DRL 1.0 |
| sigma |
proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml |
- 'explorer.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml |
- 'C:\WINDOWS\Explorer.EXE' |
DRL 1.0 |
| sigma |
proc_creation_win_non_interactive_powershell.yml |
description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. |
DRL 1.0 |
| sigma |
proc_creation_win_non_interactive_powershell.yml |
- '\explorer.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_renamed_megasync.yml |
ParentImage\|endswith: '\explorer.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_explorer.yml |
title: Proxy Execution Via Explorer.exe |
DRL 1.0 |
| sigma |
proc_creation_win_susp_explorer.yml |
description: Attackers can use explorer.exe for evading defense mechanisms |
DRL 1.0 |
| sigma |
proc_creation_win_susp_explorer.yml |
- \explorer.exe |
DRL 1.0 |
| sigma |
proc_creation_win_susp_explorer.yml |
- explorer.exe |
DRL 1.0 |
| sigma |
proc_creation_win_susp_explorer.yml |
- Legitimate explorer.exe run from cmd.exe |
DRL 1.0 |
| sigma |
proc_creation_win_susp_explorer_break_proctree.yml |
description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer |
DRL 1.0 |
| sigma |
proc_creation_win_susp_explorer_break_proctree.yml |
- 'explorer.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_explorer_nouaccheck.yml |
description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks |
DRL 1.0 |
| sigma |
proc_creation_win_susp_explorer_nouaccheck.yml |
Image\|endswith: '\explorer.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_razorinstaller_explorer.yml |
description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM |
DRL 1.0 |
| sigma |
proc_creation_win_susp_razorinstaller_explorer.yml |
- User selecting a different installation folder (check for other sub processes of this explorer.exe process) |
DRL 1.0 |
| sigma |
proc_creation_win_susp_userinit_child.yml |
Image\|endswith: '\explorer.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_system_exe_anomaly.yml |
- '\explorer.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_system_exe_anomaly.yml |
- Image: 'C:\Windows\explorer.exe' |
DRL 1.0 |
| sigma |
sysmon_raw_disk_access_using_illegitimate_tools.yml |
- 'C:\Windows\explorer.exe' |
DRL 1.0 |
| sigma |
registry_event_modify_screensaver_binary_path.yml |
- '\explorer.exe' |
DRL 1.0 |
| LOLBAS |
Explorer.yml |
Name: Explorer.exe |
|
| LOLBAS |
Explorer.yml |
- Command: explorer.exe calc.exe |
|
| LOLBAS |
Explorer.yml |
Description: 'Executes calc.exe as a subprocess of explorer.exe.' |
|
| LOLBAS |
Explorer.yml |
- c:\windows\explorer.exe |
|
| LOLBAS |
Explorer.yml |
- c:\windows\sysWOW64\explorer.exe |
|
| LOLBAS |
Explorer.yml |
Name: Explorer.exe |
|
| LOLBAS |
Explorer.yml |
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe" |
|
| LOLBAS |
Explorer.yml |
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe |
|
| LOLBAS |
Explorer.yml |
- Command: explorer.exe C:\Windows\System32\notepad.exe |
|
| LOLBAS |
Explorer.yml |
- Path: C:\Windows\explorer.exe |
|
| LOLBAS |
Explorer.yml |
- Path: C:\Windows\SysWOW64\explorer.exe |
|
| LOLBAS |
Explorer.yml |
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious. |
|
| LOLBAS |
Procdump.yml |
- Command: procdump.exe -md calc.dll explorer.exe |
|
| malware-ioc |
misp_invisimole.json |
"description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", |
© ESET 2014-2018 |
| malware-ioc |
win_apt_invisimole_wrapper_dll.yml |
- '\Windows\explorer.exe' |
© ESET 2014-2018 |
| atomic-red-team |
T1134.004.md |
Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1204.002.md |
$sheet.Cells.Item(20,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A3&"”)” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1204.002.md |
$sheet.Cells.Item(22,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A2&"”)” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Shell” “explorer.exe, #{binary_to_execute}” -Force |
MIT License. © 2018 Red Canary |
| signature-base |
apt_poisonivy_gen3.yar |
$s5 = “Explorer.exe” fullword wide |
CC BY-NC 4.0 |
| signature-base |
apt_putterpanda.yar |
$s1 = “Explorer.exe "” fullword ascii /* PEStudio Blacklist: strings / / score: ‘16.05’ */ |
CC BY-NC 4.0 |
| signature-base |
apt_putterpanda.yar |
$s1 = “EXPLORER.EXE” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.98’ / / Goodware String - occured 22 times */ |
CC BY-NC 4.0 |
| signature-base |
apt_putterpanda.yar |
$s3 = “explorer.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.97’ / / Goodware String - occured 31 times */ |
CC BY-NC 4.0 |
| signature-base |
apt_rancor.yar |
$x2 = “CreateObject("Wscript.Shell").Run "explorer.exe ""http” ascii |
CC BY-NC 4.0 |
| signature-base |
apt_stuxnet.yar |
$s1 = “SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s0 = “explorer.exe http://bbs.yesmybi.net” fullword ascii /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s0 = “explorer.exe http://user.qzone.qq.com/568148075” fullword wide /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
description = “Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe” |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s2 = “Codeeer Explorer.exe” fullword wide /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base |
exploit_uac_elevators.yar |
$s3 = “explorer.exe” wide |
CC BY-NC 4.0 |
| signature-base |
generic_anomalies.yar |
description = “Detects uncommon file size of explorer.exe” |
CC BY-NC 4.0 |
| signature-base |
generic_anomalies.yar |
and filename == “explorer.exe” |
CC BY-NC 4.0 |
| signature-base |
gen_cn_hacktools.yar |
$s3 = “explorer.exe http://www.hackdos.com” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
thor-hacktools.yar |
$s1 = “Explorer.exe” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
thor-hacktools.yar |
$s4 = “ERROR: FindProcessByName(‘explorer.exe’)” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
description = “Abnormal explorer.exe - typical strings not found in file” |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
$s1 = “EXPLORER.EXE” wide fullword |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
filename == “explorer.exe” |
CC BY-NC 4.0 |