Suspicious CustomShellHost Execution

Hunt Hypothesis

Detects the execution of CustomShellHost.exe where the child isn’t located in ‘C:\Windows\explorer.exe’. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion technique

Detection Rule

Sigma (Original)

title: Suspicious CustomShellHost Execution
id: 84b14121-9d14-416e-800b-f3b829c5a14d
status: test
description: |
    Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/pull/180
    - https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2025-10-29
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\CustomShellHost.exe'
    filter_main_explorer:
        Image: 'C:\Windows\explorer.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives are unlikely, investigate matches carefully.
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\CustomShellHost.exe" or ActingProcessName endswith "\\CustomShellHost.exe") and (not(TargetProcessName =~ "C:\\Windows\\explorer.exe"))

Required Data Sources

False Positive Guidance

• False positives are unlikely, investigate matches carefully.

MITRE ATT&CK Context

• Technique: T1216 — T1216

References

• https://github.com/LOLBAS-Project/LOLBAS/pull/180
• https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/
• SigmaHQ Rule