From dec26ada2174e1cd8528b04539abfeec8a0a2205 Mon Sep 17 00:00:00 2001
From: JPMinty <mad.dogga@hotmail.com>
Date: Wed, 24 Jun 2020 21:09:59 +0930
Subject: [PATCH] Create explorer.yml

---
 yml/OSBinaries/explorer.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 yml/OSBinaries/explorer.yml

diff --git a/yml/OSBinaries/explorer.yml b/yml/OSBinaries/explorer.yml
new file mode 100644
index 0000000..edebed6
--- /dev/null
+++ b/yml/OSBinaries/explorer.yml
@@ -0,0 +1,26 @@
+---
+Name: Explorer.exe
+Description: Binary used for managing files and system components within Windows
+Author: 'Jai Minton'
+Created: '2020-06-24'
+Commands:
+  - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
+    Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
+    Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\explorer.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
+Resources:
+  - Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
+Acknowledgement:
+  - Person: Jai Minton
+    Handle: '@CyberRaiju'
+---
\ No newline at end of file