I'm wondering if anyone else is running into this.
I'm getting notified about C:\Windows\explorer.exe
Is this DI blocking the windows explorer itself? or is explorer being used to try to run some code? Should I add the file to the allow list, or will this allow crazy stuff to be run from an explorer window? below are the details of the notification:
Event ID XXXXXX
Occurrences 1
Start Date 2024-06-11 17:47:28.882089
Received on Server 2024-06-11 17:47:32.201895
Last Occurrence 2024-06-11 17:47:28.882089
Event Type Behavioral Analysis - Arbitrary Shellcode
Deep Classification None
Threat Severity Very high
Details C:\Windows\explorer.exe
File Type PE
File Hash 1bb449c7c14500efc1325cf6a6fd8ef9ffd0216d120187298d57706c3eb6d3db
MITRE ATT&CK mitreId=TA0002.T1204.002 mitreTactic=Execution mitreTechnique=User Execution mitreSubTechnique=Malicious File
Device IP 192.168.1.28
Device Name XXX-PC
Platform Windows
Logged in Users XXX-PC\eric,XXX-pc\Timothy