Sysmon_raw_disk_access_using_illegitimate_tools.yml Proc_creation_win_susp_userinit_child.yml User selecting a different installation folder (check for other sub processes of this explorer.exe process) Proc_creation_win_susp_razorinstaller_explorer.ymlĭescription : Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM Proc_creation_win_susp_explorer_nouaccheck.ymlĭescription : Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks Proc_creation_win_susp_explorer_break_proctree.ymlĭescription : Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer Legitimate explorer.exe run from cmd.exe Proc_creation_win_non_interactive_powershell.ymlĭescription : Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.ĭescription : Attackers can use explorer.exe for evading defense mechanisms Proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml ' \explorer.exe' # dcomexec ShellBrowserWindow # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll but parent command is explorer.exe Proc_creation_win_impacket_lateralization.yml Proc_access_win_in_memory_assembly_execution.yml Proc_access_win_cred_dump_lsass_access.yml While explorer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes. The following table contains possible examples of explorer.exe being misused.
Legal Copyright: Microsoft Corporation.Product Name: Microsoft Windows Operating System.
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.
0 kommentar(er)
