Adversaries may leverage ClassicExplorer32.dll to sideload malicious DLLs, bypassing standard code integrity controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL sideloading attacks that could evade traditional detection mechanisms.
Detection Rule
title: Potential DLL Sideloading Via ClassicExplorer32.dll
id: caa02837-f659-466f-bca6-48bde2826ab4
status: test
description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
references:
- https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
- https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
author: frack113
date: 2022-12-13
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection_classicexplorer:
ImageLoaded|endswith: '\ClassicExplorer32.dll'
filter_classicexplorer:
ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
condition: selection_classicexplorer and not filter_classicexplorer
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\ClassicExplorer32.dll" and (not(FolderPath startswith "C:\\Program Files\\Classic Shell\\"))Scenario: Scheduled Task Running Classic Shell Explorer Replacement
Description: A legitimate scheduled task is configured to launch ClassicExplorer32.dll as part of a user’s custom shell environment.
Filter/Exclusion: Check the TaskName field for known legitimate task names (e.g., "Classic Shell - Explorer"), and verify the process is running under a user’s context with a valid username.
Scenario: System Update or Patch Installation Using Classic Shell
Description: During a system update, a user might have Classic Shell running, and the update process temporarily loads ClassicExplorer32.dll as part of a compatibility check.
Filter/Exclusion: Filter by ProcessName to exclude instances where the process is ClassicExplorer32.exe and check the ParentProcess for known update services (e.g., svchost.exe, wuauserv.exe).
Scenario: Administrator Performing DLL Replacement for Compatibility
Description: An admin may manually replace ClassicExplorer32.dll in a user’s profile to enable compatibility with legacy applications.
Filter/Exclusion: Filter by User field to identify admin accounts, and check the FileHash or FileVersion of the DLL to confirm it matches a known legitimate version of Classic Shell.
Scenario: Antivirus or Security Software Using Classic Shell Components
Description: Some security tools may integrate with Classic Shell to provide a more familiar interface, and may load ClassicExplorer32.dll as part of their UI.
Filter/Exclusion: Check the ProcessName for known security software (e.g., Malwarebytes.exe, Kaspersky.exe), and verify the ParentProcess is a legitimate security tool.
Scenario: User-Initiated DLL Load for Custom Shell Environment
Description: