Techniques
Sample rules
Suspicious CustomShellHost Execution
- source: sigma
- technicques:
- t1216
Description
Detects the execution of CustomShellHost.exe where the child isn’t located in ‘C:\Windows\explorer.exe’. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_explorer:
Image: C:\Windows\explorer.exe
selection:
ParentImage|endswith: \CustomShellHost.exe