From dec26ada2174e1cd8528b04539abfeec8a0a2205 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Wed, 24 Jun 2020 21:09:59 +0930 Subject: [PATCH 1/2] Create explorer.yml --- yml/OSBinaries/explorer.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OSBinaries/explorer.yml diff --git a/yml/OSBinaries/explorer.yml b/yml/OSBinaries/explorer.yml new file mode 100644 index 0000000..edebed6 --- /dev/null +++ b/yml/OSBinaries/explorer.yml @@ -0,0 +1,26 @@ +--- +Name: Explorer.exe +Description: Binary used for managing files and system components within Windows +Author: 'Jai Minton' +Created: '2020-06-24' +Commands: + - Command: explorer.exe /root,"C:\Windows\System32\calc.exe" + Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe + Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\explorer.exe +Code_Sample: +- Code: +Detection: + - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this. +Resources: + - Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 +Acknowledgement: + - Person: Jai Minton + Handle: '@CyberRaiju' +--- \ No newline at end of file From 663724523fffc86075539b9c791364ed896c9024 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Wed, 24 Jun 2020 21:15:40 +0930 Subject: [PATCH 2/2] Update explorer.yml --- yml/OSBinaries/explorer.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/explorer.yml b/yml/OSBinaries/explorer.yml index edebed6..73ef496 100644 --- a/yml/OSBinaries/explorer.yml +++ b/yml/OSBinaries/explorer.yml @@ -14,6 +14,7 @@ Commands: OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\explorer.exe + - Path: C:\Windows\SysWOW64\explorer.exe Code_Sample: - Code: Detection: