During a security assessment, defenders notice an additional instance of explorer.exe launching scripts, yet no user is interacting with the system. What technique might the attacker be leveraging for stealth?
Scanning overlooked subnets for outdated services
Configuring domain trusts to reuse accounts
Hijacking the graphical shell to execute hidden processes
The attacker is likely using the built-in Windows graphical shell to execute payloads while appearing normal. This is done by spawning processes under a familiar executable to blend malicious actions with regular activity. Domain trusts do not explain unexpected script launches, and identity tokens or scanning unpatched services do not address hidden processes associated with this file manager.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is graphical shell hijacking?
Open an interactive chat with Bash
How does spawning processes under trusted executables work?
Open an interactive chat with Bash
Why is monitoring unexpectedly launched scripts important?