mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-26 06:49:09 +01:00
Oddvar Moe
GitHub
commit
8bb57e1ac5
27
yml/OSBinaries/explorer.yml
Normal file
27
yml/OSBinaries/explorer.yml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
Name: Explorer.exe
|
||||
Description: Binary used for managing files and system components within Windows
|
||||
Author: 'Jai Minton'
|
||||
Created: '2020-06-24'
|
||||
Commands:
|
||||
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
|
||||
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
||||
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\explorer.exe
|
||||
- Path: C:\Windows\SysWOW64\explorer.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
|
||||
Resources:
|
||||
- Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
|
||||
Acknowledgement:
|
||||
- Person: Jai Minton
|
||||
Handle: '@CyberRaiju'
|
||||
---
|
||||
Loading…
Reference in New Issue
Block a user