User selecting a different installation folder (check for other sub processes of this explorer.exe process) Legitimate explorer.exe run from cmd.exeĭescription : Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorerĭescription : Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
' \explorer.exe' # dcomexec ShellBrowserWindowĭescription : Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.ĭescription : Attackers can use explorer.exe for evading defense mechanisms # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll but parent command is explorer.exe Sysmon_logon_scripts_userinitmprlogonscript_proc.yml
While explorer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes. The following table contains possible examples of explorer.exe being misused. Legal Copyright: Microsoft Corporation.
0 kommentar(er)
