Suspicious CustomShellHost Execution (84b14121-9d14-416e-800b-f3b829c5a14d)
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) | Attack Pattern | Suspicious CustomShellHost Execution (84b14121-9d14-416e-800b-f3b829c5a14d) | Sigma-Rules | 1 |