![rundll32 exe advapi32.dll rundll32 exe advapi32.dll](https://uploads.projectunderstood.com/wp-content/uploads/guides/1056/azcowpzq2i.jpg)
Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. "description" : "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Command : procdump.exe -md calc.dll explorer.exe IOC : Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this. Path : C:\Windows\SysWOW64\explorer.exe Command : explorer.exe C:\Windows\System32\notepad.exe Command : explorer.exe /root,"C:\Windows\System32\calc.exe"ĭescription : Execute calc.exe with the parent process spawning from a new instance of explorer.exe Sysmon_modify_screensaver_binary_path.ymlĭescription : ' Executes calc.exe as a subprocess of explorer.exe.' User selecting a different installation folder (check for other sub processes of this explorer.exe process)
![rundll32 exe advapi32.dll rundll32 exe advapi32.dll](https://www.netbooknews.com/wp-content/uploads/2019/04/How-to-clean-laptop-memory.jpg)
#Rundll32 exe advapi32.dll software#
Legitimate explorer.exe run from cmd.exeĭescription : Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorerĭescription : Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM ' \explorer.exe' # dcomexec ShellBrowserWindowĭescription : Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.ĭescription : Attackers can use explorer.exe for evading defense mechanisms # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll but parent command is explorer.exe Sysmon_logon_scripts_userinitmprlogonscript_proc.yml While explorer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes. The following table contains possible examples of explorer.exe being misused. Legal Copyright: Microsoft Corporation.
![rundll32 exe advapi32.dll rundll32 exe advapi32.dll](https://rbportal.weebly.com/uploads/4/8/2/0/48203725/3647348.jpg)
#Rundll32 exe advapi32.dll windows#