Skip to content

Hide Navigation Hide TOC

Explorer (b792d713-fbb4-46e6-94ae-8b9a1f4e794d)

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used for managing files and system components within Windows

Author: Jai Minton

Paths: * C:\Windows\explorer.exe * C:\Windows\SysWOW64\explorer.exe

Resources: * https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 * https://twitter.com/bohops/status/1276356245541335048 * https://twitter.com/bohops/status/986984122563391488

Detection: * Sigma: proc_creation_win_explorer_break_process_tree.yml * Sigma: proc_creation_win_explorer_lolbin_execution.yml * Elastic: initial_access_via_explorer_suspicious_child_parent_args.toml * IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.[Explorer.exe - LOLBAS Project]

Cluster A Galaxy A Cluster B Galaxy B Level
Explorer (b792d713-fbb4-46e6-94ae-8b9a1f4e794d) Tidal Software Kimsuky (37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) Tidal Groups 1
Explorer (b792d713-fbb4-46e6-94ae-8b9a1f4e794d) Tidal Software APT28 (5b1a5b9e-4722-41fc-a15d-196a549e3ac5) Tidal Groups 1