Skip to content

Icon Overlay Handler

Jump to bottom
Veramine edited this page Apr 14, 2017 · 4 revisions

Windows provides a feature where an arbitrary DLL can be loaded as an executable image by explorer.exe to alter the appearance of icons. This is the Icon Overlay Handler feature. You can read more about it at https://msdn.microsoft.com/en-us/library/windows/desktop/hh127455.aspx. An adversary can register their own icon overlay handler to have their malicious code loaded by explorer.exe in the logged-on user context.

Veramine's detection engine detects instances where an application has added an Icon Overlay Handler. Here is an example detection:

For more information about our AppInit DLL tactic detection mechanism, please login to the Veramine portal and review the User's Guide Registry Writes detection category.

Clone this wiki locally