Hal Pomeranz · Oct 15, 2020 · 8:32 PM UTC

Hal Pomeranz · Oct 15, 2020 · 8:32 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

15 Oct 2020

I summon the collective #DFIR wisdom of Twitter. User attempts to launch Windows Explorer and another program starts instead. I'm assuming a registry setting, but which one?

Oct 15, 2020 · 8:32 PM UTC

NetSec Samurai🏴󠁧󠁢󠁳󠁣󠁴󠁿 · Oct 15, 2020 · 8:37 PM UTC

NetSec Samurai🏴󠁧󠁢󠁳󠁣󠁴󠁿 @DFIRSamurai

15 Oct 2020

Replying to @hal_pomeranz

Which explorer? The main desktop process or the file manager?

Hal Pomeranz · Oct 15, 2020 · 8:43 PM UTC

Hal Pomeranz @hal_pomeranz

15 Oct 2020

The file manager

𝕸𝓎𝖐𝖎𝖑𝖑 ☠️ · Oct 15, 2020 · 9:18 PM UTC

𝕸𝓎𝖐𝖎𝖑𝖑 ☠️ @mykill

15 Oct 2020

Replying to @hal_pomeranz

Debugger value under Image File Execution Options key? Just brainstorming. blog.malwarebytes.com/101/20…

Hal Pomeranz · Oct 16, 2020 · 1:39 PM UTC

Hal Pomeranz @hal_pomeranz

16 Oct 2020

Good idea, not the execution mechanism in this case

Phill Moore · Oct 16, 2020 · 9:27 AM UTC

Phill Moore @phillmoore

16 Oct 2020

Replying to @hal_pomeranz

Recmd with SA parameter across all hives and search for the executable that launched? Then review the keys individually. May get lucky!

Hal Pomeranz · Oct 16, 2020 · 12:28 PM UTC

Hal Pomeranz @hal_pomeranz

16 Oct 2020

Yeah, that's basically what I'm down to at this point

Joe Sylve 🐘 @jtsylve@infosec.exchange · Oct 16, 2020 · 12:40 AM UTC

Joe Sylve 🐘 @jtsylve@infosec.exchange @jtsylve

16 Oct 2020

Replying to @hal_pomeranz

Replaced LNK file?

Hal Pomeranz · Oct 16, 2020 · 1:17 PM UTC

Hal Pomeranz @hal_pomeranz

16 Oct 2020

Good thought, but I'm not finding any

Joe Sylve 🐘 @jtsylve@infosec.exchange · Oct 16, 2020 · 2:23 PM UTC

Joe Sylve 🐘 @jtsylve@infosec.exchange @jtsylve

16 Oct 2020

Replying to @hal_pomeranz

App compatibility?

Hal Pomeranz · Oct 16, 2020 · 3:32 PM UTC

Hal Pomeranz @hal_pomeranz

16 Oct 2020

Not that I'm seeing.