• Chris Toews
    0
    I'm wondering if anyone else is running into this.
    I'm getting notified about C:\Windows\explorer.exe

    Is this DI blocking the windows explorer itself? or is explorer being used to try to run some code? Should I add the file to the allow list, or will this allow crazy stuff to be run from an explorer window? below are the details of the notification:

    Event ID XXXXXX
    Occurrences 1
    Start Date 2024-06-11 17:47:28.882089
    Received on Server 2024-06-11 17:47:32.201895
    Last Occurrence 2024-06-11 17:47:28.882089
    Event Type Behavioral Analysis - Arbitrary Shellcode
    Deep Classification None
    Threat Severity Very high
    Details C:\Windows\explorer.exe
    File Type PE
    File Hash 1bb449c7c14500efc1325cf6a6fd8ef9ffd0216d120187298d57706c3eb6d3db
    MITRE ATT&CK mitreId=TA0002.T1204.002 mitreTactic=Execution mitreTechnique=User Execution mitreSubTechnique=Malicious File
    Device IP 192.168.1.28
    Device Name XXX-PC
    Platform Windows
    Logged in Users XXX-PC\eric,XXX-pc\Timothy
bold
italic
underline
strike
code
quote
ulist
image
url
mention
reveal
youtube
tweet
Add a Comment