Explorer.exe

Binary used for managing files and system components within Windows

Paths

• C:\Windows\explorer.exe
• C:\Windows\SysWOW64\explorer.exe

Commands

Execute

Execute specified .exe with the parent process spawning from a new instance of explorer.exe

Use case: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.

Privileges: User

explorer.exe /root,"{PATH_ABSOLUTE:.exe}"

Execute

Execute notepad.exe with the parent process spawning from a new instance of explorer.exe

Use case: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.

Privileges: User

explorer.exe {PATH_ABSOLUTE:.exe}

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml
• Elastic: https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
• IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.

Resources

• https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
• https://twitter.com/bohops/status/1276356245541335048
• https://twitter.com/bohops/status/986984122563391488