.. /Explorer.exe

Star

Paths:

• C:\Windows\explorer.exe
• C:\Windows\SysWOW64\explorer.exe

Resources:

• https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
• https://twitter.com/bohops/status/1276356245541335048
• https://twitter.com/bohops/status/986984122563391488

Acknowledgements:

• Jai Minton (@CyberRaiju)
• Jimmy (@bohops)

Detections:

• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml
• Elastic: https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
• IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.

Execute

1. Execute calc.exe with the parent process spawning from a new instance of explorer.exe

   explorer.exe /root,"C:\Windows\System32\calc.exe"

   Use case

   Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.

   Privileges required

   User

   Operating systems

   Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1202

2. Execute notepad.exe with the parent process spawning from a new instance of explorer.exe

   explorer.exe C:\Windows\System32\notepad.exe

   Use case

   Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.

   Privileges required

   User

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1202