Potential Command and Control via Internet Explorer COM Abuse

This detection rule identifies potential command and control (C2) activity abusing Internet Explorer (iexplore.exe) via the Component Object Model (COM) on Windows systems. The technique involves launching iexplore.exe through COM, often using system binaries like rundll32.exe or regsvr32.exe to proxy the execution and evade security controls. The rule focuses on identifying unusual DNS queries originating from iexplore.exe, excluding those directed towards common Microsoft and OCSP-related domains. This tactic allows adversaries to make network connections appearing benign while hosting malicious content or performing C2 functions. The rule is designed for environments using Elastic Defend. The rule was last updated on 2026/05/04.

Attack Chain

1. Adversary gains initial access to the targeted system (e.g., through phishing or exploiting a vulnerability).
2. The adversary uses rundll32.exe or regsvr32.exe to load IEProxy.dll, which is used to instantiate Internet Explorer via COM.
3. Iexplore.exe is launched as a child process of rundll32.exe or regsvr32.exe with the -Embedding flag, indicating it was started via COM.
4. Iexplore.exe initiates DNS queries to resolve domains for command and control communication or to retrieve malicious payloads.
5. The DNS queries bypass typical whitelists by using uncommon or attacker-controlled domains.
6. Iexplore.exe establishes network connections to external IP addresses associated with the malicious domains.
7. Data is exfiltrated or further commands are received through the established connections.
8. The adversary maintains persistence and control over the compromised system.

Impact

Successful exploitation allows adversaries to establish a covert command and control channel, potentially leading to data theft, system compromise, or further propagation within the network. The use of Internet Explorer, a trusted system binary, helps evade detection and bypass host-based firewalls. The impact can range from individual workstation compromise to broader network breaches, depending on the attacker’s objectives.

Recommendation

• Deploy the Sigma rule Potential Command and Control via Internet Explorer to your SIEM and tune for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on the parent processes (rundll32.exe, regsvr32.exe) and the destination domains of the DNS queries.
• Monitor process execution events for instances of iexplore.exe being launched with the -Embedding flag, especially when the parent process is rundll32.exe or regsvr32.exe.
• Review network connection logs for iexplore.exe to identify any unusual or suspicious outbound connections to domains not associated with standard Microsoft services or internal resources.
• Implement network-level controls to block communication with any identified malicious domains.