Skip to content

Icon Overlay Handler

Jump to bottom
Veramine edited this page Jul 7, 2017 · 4 revisions

Windows provides a feature where an arbitrary DLL can be loaded as an executable image by explorer.exe to alter the appearance of icons. This is the Icon Overlay Handler feature. You can read more about it at https://msdn.microsoft.com/en-us/library/windows/desktop/hh127455.aspx. An adversary can register their own icon overlay handler to have their malicious code loaded by explorer.exe in the logged-on user context.

Veramine's detection engine detects instances where an application has added an Icon Overlay Handler. Here is an example detection:

As a defender, you can click on the msiexec.exe hyperlink to see how the msiexec.exe (PID 5364) was launched that created this new icon overlay:

The same page also shows all the binaries loaded by this process. In this case, here were the most recent:

Clicking on any of these binaries reveals this was likely to be a legitimate software install and not an attacker persistence mechanism. For extra verification, one could click the Download link to get a copy of this binary as the Veramine platform saves a single copy of every binary loaded by any process across the corporate network.

Clone this wiki locally