{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/internet-explorer/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Internet Explorer"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","com","iexplore","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies potential command and control (C2) activity abusing Internet Explorer (iexplore.exe) via the Component Object Model (COM) on Windows systems. The technique involves launching iexplore.exe through COM, often using system binaries like \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to proxy the execution and evade security controls. The rule focuses on identifying unusual DNS queries originating from iexplore.exe, excluding those directed towards common Microsoft and OCSP-related domains. This tactic allows adversaries to make network connections appearing benign while hosting malicious content or performing C2 functions. The rule is designed for environments using Elastic Defend. The rule was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the targeted system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe adversary uses \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to load \u003ccode\u003eIEProxy.dll\u003c/code\u003e, which is used to instantiate Internet Explorer via COM.\u003c/li\u003e\n\u003cli\u003eIexplore.exe is launched as a child process of \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e-Embedding\u003c/code\u003e flag, indicating it was started via COM.\u003c/li\u003e\n\u003cli\u003eIexplore.exe initiates DNS queries to resolve domains for command and control communication or to retrieve malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe DNS queries bypass typical whitelists by using uncommon or attacker-controlled domains.\u003c/li\u003e\n\u003cli\u003eIexplore.exe establishes network connections to external IP addresses associated with the malicious domains.\u003c/li\u003e\n\u003cli\u003eData is exfiltrated or further commands are received through the established connections.\u003c/li\u003e\n\u003cli\u003eThe adversary maintains persistence and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to establish a covert command and control channel, potentially leading to data theft, system compromise, or further propagation within the network. The use of Internet Explorer, a trusted system binary, helps evade detection and bypass host-based firewalls. The impact can range from individual workstation compromise to broader network breaches, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Command and Control via Internet Explorer\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes (\u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e) and the destination domains of the DNS queries.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances of \u003ccode\u003eiexplore.exe\u003c/code\u003e being launched with the \u003ccode\u003e-Embedding\u003c/code\u003e flag, especially when the parent process is \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for \u003ccode\u003eiexplore.exe\u003c/code\u003e to identify any unusual or suspicious outbound connections to domains not associated with standard Microsoft services or internal resources.\u003c/li\u003e\n\u003cli\u003eImplement network-level controls to block communication with any identified malicious domains.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"/briefs/2024-01-iexplore-com-c2/","summary":"This rule detects potential command and control activity where Internet Explorer (iexplore.exe) is started via the Component Object Model (COM) and makes unusual network connections, indicating adversaries might exploit Internet Explorer via COM to evade detection and bypass host-based firewall restrictions.","title":"Potential Command and Control via Internet Explorer COM Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-iexplore-com-c2/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Corretto JDK","UEM Proxy Server","UEM Core","dbeaver.exe","Docker","Chrome","Internet Explorer","PyCharm Community Edition","Firefox","VirtualBox","Puppet","nexpose","Silverfort AD Adapter","Nessus","VMware View","Advanced Port Scanner","DesktopCentral Agent","LanGuard","SAP BusinessObjects","SuperScan","ZSATunnel"],"_cs_severities":["medium"],"_cs_tags":["kerberoasting","credential-access","lateral-movement","windows"],"_cs_type":"threat","_cs_vendors":["Elastic","SentinelOne","Amazon","BlackBerry","DBeaver","Docker","Google","Microsoft","JetBrains","Mozilla","Oracle","Puppet Labs","Rapid7","Silverfort","Tenable","VMware","GFI","SAP","Zscaler"],"content_html":"\u003cp\u003eThis detection identifies unusual processes initiating network connections to the standard Kerberos port (88) on Windows systems. Typically, the \u003ccode\u003elsass.exe\u003c/code\u003e process handles Kerberos traffic on domain-joined hosts. The rule aims to detect processes other than \u003ccode\u003elsass.exe\u003c/code\u003e communicating with the Kerberos port, which could indicate malicious activity such as Kerberoasting (T1558.003) or Pass-the-Ticket (T1550.003). The detection is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. This can help security teams identify potential credential access attempts and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a user account or system within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious binary or script (e.g., PowerShell) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to request Kerberos service tickets (TGS) for various services within the domain. This is done by connecting to the Kerberos port (88) on a domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003eRubeus\u003c/code\u003e or \u003ccode\u003eKerberoast.ps1\u003c/code\u003e to enumerate and request TGS tickets.\u003c/li\u003e\n\u003cli\u003eThe unusual process (not \u003ccode\u003elsass.exe\u003c/code\u003e) sends Kerberos traffic to the domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the Kerberos tickets from memory or network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the offline TGS tickets to obtain service account passwords (Kerberoasting).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised service account credentials to move laterally within the network or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberoasting or Pass-the-Ticket attack can lead to unauthorized access to sensitive resources and lateral movement within the network. Attackers can compromise service accounts with elevated privileges, potentially leading to domain-wide compromise. Detection of this behavior can prevent attackers from gaining access to critical assets. While the exact number of victims and sectors targeted are unknown, this technique is widely used by various threat actors in targeted attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Kerberos Traffic from Unusual Process\u0026rdquo; Sigma rule to your SIEM and tune for your environment. Enable network connection logging to capture the necessary traffic.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious binaries.\u003c/li\u003e\n\u003cli\u003eReview event ID 4769 for suspicious ticket requests as mentioned in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eExamine host services for suspicious entries as outlined in the original Elastic detection rule using Osquery.\u003c/li\u003e\n\u003cli\u003eMonitor for processes connecting to port 88, filtering out legitimate Kerberos clients like \u003ccode\u003elsass.exe\u003c/code\u003e, using the \u0026ldquo;Detect Kerberos Traffic from Non-Standard Process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate processes identified by the rule and compare them to the list of legitimate processes to identify unauthorized connections to the Kerberos port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-03-kerberoasting-unusual-process/","summary":"Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.","title":"Kerberos Traffic from Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-kerberoasting-unusual-process/"}],"language":"en","title":"CraftedSignal Threat Feed — Internet Explorer","version":"https://jsonfeed.org/version/1.1"}