Suspicious Explorer Child Process via DCOM
A suspicious Windows Explorer child process is detected, indicating potential exploitation of explorer.exe to launch malicious scripts or executables from a trusted parent process via DCOM.
This detection identifies suspicious child processes spawned by explorer.exe on Windows systems, focusing on processes initiated via Component Object Model (COM) with arguments indicative of DCOM usage, such as -Embedding. Attackers may abuse the trusted status of explorer.exe to launch malicious payloads, bypassing security controls that might otherwise detect the execution of these payloads from less reputable parent processes. This activity is typically observed when a user clicks a malicious link or opens a weaponized document, leading to the execution of malicious scripts or binaries. The processes of interest include cscript.exe, wscript.exe, powershell.exe, rundll32.exe, cmd.exe, mshta.exe, and regsvr32.exe. This detection aims to identify these anomalous parent-child process relationships to uncover potential initial access, execution, and defense evasion attempts. The rule was last updated on 2026/04/07.
Attack Chain
- A user receives a phishing email containing a malicious link or attachment (T1566, T1566.001, T1566.002).
- The user clicks the link or opens the attachment, triggering the execution of a malicious script or executable.
- The script or executable leverages Component Object Model (COM) to initiate
explorer.exewith the-Embeddingargument (T1559.001). explorer.exethen spawns a child process such aspowershell.exe,cmd.exe,mshta.exe,regsvr32.exe,cscript.exe,wscript.exe, orrundll32.exe(T1059, T1218).- The spawned process executes malicious commands or scripts, potentially downloading further payloads or establishing persistence.
- The attacker gains initial access to the system and can perform further actions like lateral movement, data exfiltration, or privilege escalation (TA0001, TA0002).
- The attacker attempts to evade defenses by leveraging a trusted process (
explorer.exe) to execute malicious code (TA0005). - The ultimate objective is often to deploy ransomware, steal sensitive data, or establish a persistent foothold on the compromised system.
Impact
Successful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. While the number of victims and targeted sectors are unspecified, the nature of this attack can affect any Windows environment. The compromise occurs when a user interacts with a malicious file or link, resulting in the execution of arbitrary code under the guise of a trusted process. If successful, the attacker gains an initial foothold, leading to further malicious activities within the network.
Recommendation
- Deploy the "Suspicious Explorer Child Process" Sigma rule to your SIEM and tune for your environment (rule).
- Enable process creation logging, specifically monitoring for parent-child relationships involving
explorer.exeand scripting engines (logsource). - Review and update endpoint security policies to restrict the execution of potentially malicious scripts or executables from
explorer.exe, especially when initiated via DCOM (rule). - Implement additional monitoring and alerting for similar suspicious activities involving explorer.exe to enhance detection capabilities and prevent recurrence (rule).
Detection coverage 3
Suspicious Explorer Child Process via DCOM - PowerShell
mediumDetects PowerShell spawned by explorer.exe via DCOM.
Suspicious Explorer Child Process via DCOM - Cmd
mediumDetects cmd.exe spawned by explorer.exe via DCOM.
Suspicious Explorer Child Process via DCOM - Mshta
mediumDetects mshta.exe spawned by explorer.exe via DCOM.
Detection queries are available on the platform. Get full rules →