Explorer Process Tree Break (949f1ffb-6e85-4f00-ae1e-c3c5b190d605)
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Explorer Process Tree Break (949f1ffb-6e85-4f00-ae1e-c3c5b190d605) | Sigma-Rules | Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) | Attack Pattern | 1 |