Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential DLL Sideloading Via ClassicExplorer32.dll

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Tue Dec 13caa02837-f659-466f-bca6-48bde2826ab4windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
    selection_classicexplorer:
        ImageLoaded|endswith: '\ClassicExplorer32.dll'
    filter_classicexplorer:
        ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
    condition: selection_classicexplorer and not filter_classicexplorer
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
blogs.blackberry.com
2
Resolving title…
app.any.run
MITRE ATT&CK
Rule Metadata
Rule ID
caa02837-f659-466f-bca6-48bde2826ab4
Status
test
Level
medium
Type
Detection
Created
Tue Dec 13
Author
François Hubaut
Path
rules/windows/image_load/image_load_side_load_classicexplorer32.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001
View on GitHub