LOLBAS/yml/OSBinaries/Explorer.yml

---
Name: Explorer.exe
Description: Binary used for managing files and system components within Windows
Author: 'Jai Minton'
Created: '2020-06-24'
Commands:
  - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
    Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
    Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
    Category: Execute
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: explorer.exe C:\Windows\System32\notepad.exe
    Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
    Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
    Category: Execute
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 10 (Tested)
Full_Path:
  - Path: C:\Windows\explorer.exe
  - Path: C:\Windows\SysWOW64\explorer.exe
Code_Sample: 
- Code:
Detection:
 - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
Resources:
  - Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
  - Link: https://twitter.com/bohops/status/1276356245541335048
  - Link: https://twitter.com/bohops/status/986984122563391488
Acknowledgement:
  - Person: Jai Minton
    Handle: '@CyberRaiju'
   - Person: Jimmy
    Handle: '@bohops'
---
Create explorer.yml 2020-06-24 13:39:59 +02:00			`---`
			`Name: Explorer.exe`
			`Description: Binary used for managing files and system components within Windows`
			`Author: 'Jai Minton'`
			`Created: '2020-06-24'`
			`Commands:`
			`- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"`
			`Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe`
			`Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1218`
			`MitreLink: https://attack.mitre.org/wiki/Technique/T1218`
			`OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10`
Added plain explorer execution 2020-07-03 21:03:07 +02:00			`- Command: explorer.exe C:\Windows\System32\notepad.exe`
			`Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe`
			`Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1218`
			`MitreLink: https://attack.mitre.org/wiki/Technique/T1218`
			`OperatingSystem: Windows 10 (Tested)`
Create explorer.yml 2020-06-24 13:39:59 +02:00			`Full_Path:`
			`- Path: C:\Windows\explorer.exe`
Update explorer.yml 2020-06-24 13:45:40 +02:00			`- Path: C:\Windows\SysWOW64\explorer.exe`
Create explorer.yml 2020-06-24 13:39:59 +02:00			`Code_Sample:`
			`- Code:`
			`Detection:`
			`- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.`
			`Resources:`
			`- Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20`
Added plain explorer execution 2020-07-03 21:03:07 +02:00			`- Link: https://twitter.com/bohops/status/1276356245541335048`
			`- Link: https://twitter.com/bohops/status/986984122563391488`
Create explorer.yml 2020-06-24 13:39:59 +02:00			`Acknowledgement:`
			`- Person: Jai Minton`
			`Handle: '@CyberRaiju'`
Added plain explorer execution 2020-07-03 21:03:07 +02:00			`- Person: Jimmy`
			`Handle: '@bohops'`
Rename explorer.yml to Explorer.yml Changed capitalization 2020-07-03 14:52:29 +02:00			`---`