sigmaDRL-1.1from SigmaHQ/sigma
Potential DLL Sideloading Via ClassicExplorer32.dll
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/image_load/image_load_side_load_classicexplorer32.yml
title: Potential DLL Sideloading Via ClassicExplorer32.dll
id: caa02837-f659-466f-bca6-48bde2826ab4
status: test
description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
references:
- https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
- https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
author: frack113
date: 2022-12-13
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection_classicexplorer:
ImageLoaded|endswith: '\ClassicExplorer32.dll'
filter_classicexplorer:
ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
condition: selection_classicexplorer and not filter_classicexplorer
falsepositives:
- Unknown
level: medium