security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
291ca18d22f720f2ebcd30cf468f4434cecccdaa
blue-team-tools/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml
T
Nasreddine Bencherchali 2e9bba557d feat: add mfdetours unsigned sideload
2023-08-14 09:43:11 +02:00

25 lines
766 B
YAML
Raw Blame History

title: Suspicious CustomShellHost Execution
id: 84b14121-9d14-416e-800b-f3b829c5a14d
status: experimental
description: Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe'
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/180
- https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/19
tags:
- attack.defense_evasion
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\CustomShellHost.exe'
filter:
Image: 'C:\Windows\explorer.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink