During a security assessment, defenders notice an additional instance of explorer.exe launching scripts, yet no user is interacting with the system. What technique might the attacker be leveraging for stealth?
Scanning overlooked subnets for outdated services
Using impersonation tokens to gain elevated roles
Configuring domain trusts to reuse accounts
Hijacking the graphical shell to execute hidden processes
The attacker is likely using the built-in Windows graphical shell to execute payloads while appearing normal. This is done by spawning processes under a familiar executable to blend malicious actions with regular activity. Domain trusts do not explain unexpected script launches, and identity tokens or scanning unpatched services do not address hidden processes associated with this file manager.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Windows graphical shell?
Open an interactive chat with Bash
How do attackers hijack the graphical shell for stealth?
Open an interactive chat with Bash
Why is process hiding under explorer.exe effective for evasion?