{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/com/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Internet Explorer"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","com","iexplore","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies potential command and control (C2) activity abusing Internet Explorer (iexplore.exe) via the Component Object Model (COM) on Windows systems. The technique involves launching iexplore.exe through COM, often using system binaries like \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to proxy the execution and evade security controls. The rule focuses on identifying unusual DNS queries originating from iexplore.exe, excluding those directed towards common Microsoft and OCSP-related domains. This tactic allows adversaries to make network connections appearing benign while hosting malicious content or performing C2 functions. The rule is designed for environments using Elastic Defend. The rule was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the targeted system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe adversary uses \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to load \u003ccode\u003eIEProxy.dll\u003c/code\u003e, which is used to instantiate Internet Explorer via COM.\u003c/li\u003e\n\u003cli\u003eIexplore.exe is launched as a child process of \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e-Embedding\u003c/code\u003e flag, indicating it was started via COM.\u003c/li\u003e\n\u003cli\u003eIexplore.exe initiates DNS queries to resolve domains for command and control communication or to retrieve malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe DNS queries bypass typical whitelists by using uncommon or attacker-controlled domains.\u003c/li\u003e\n\u003cli\u003eIexplore.exe establishes network connections to external IP addresses associated with the malicious domains.\u003c/li\u003e\n\u003cli\u003eData is exfiltrated or further commands are received through the established connections.\u003c/li\u003e\n\u003cli\u003eThe adversary maintains persistence and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to establish a covert command and control channel, potentially leading to data theft, system compromise, or further propagation within the network. The use of Internet Explorer, a trusted system binary, helps evade detection and bypass host-based firewalls. The impact can range from individual workstation compromise to broader network breaches, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Command and Control via Internet Explorer\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes (\u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e) and the destination domains of the DNS queries.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances of \u003ccode\u003eiexplore.exe\u003c/code\u003e being launched with the \u003ccode\u003e-Embedding\u003c/code\u003e flag, especially when the parent process is \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for \u003ccode\u003eiexplore.exe\u003c/code\u003e to identify any unusual or suspicious outbound connections to domains not associated with standard Microsoft services or internal resources.\u003c/li\u003e\n\u003cli\u003eImplement network-level controls to block communication with any identified malicious domains.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"/briefs/2024-01-iexplore-com-c2/","summary":"This rule detects potential command and control activity where Internet Explorer (iexplore.exe) is started via the Component Object Model (COM) and makes unusual network connections, indicating adversaries might exploit Internet Explorer via COM to evade detection and bypass host-based firewall restrictions.","title":"Potential Command and Control via Internet Explorer COM Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-iexplore-com-c2/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["uac-bypass","privilege-escalation","com","ieinstal"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies a User Account Control (UAC) bypass technique that abuses the Internet Explorer Add-On Installer (ieinstal.exe) to launch malicious programs with elevated privileges. Attackers exploit elevated COM interfaces to circumvent UAC, allowing for stealthy code execution. The specific behavior involves executing a program from a temporary directory using ieinstal.exe with the \u003ccode\u003e-Embedding\u003c/code\u003e argument. This bypass can be utilized to perform various malicious activities, including installing malware, modifying system settings, or establishing persistence. The targeted systems are Windows endpoints where UAC is enabled. This technique matters because it allows attackers to gain unauthorized access with elevated permissions, undermining standard Windows security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable into a temporary directory, such as \u003ccode\u003eC:\\Users\\\u0026lt;user\u0026gt;\\AppData\\Local\\Temp\\IDC*.tmp\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes \u003ccode\u003eieinstal.exe\u003c/code\u003e with the \u003ccode\u003e-Embedding\u003c/code\u003e argument, specifying the path to the malicious executable.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eieinstal.exe\u003c/code\u003e, running with elevated privileges, launches the malicious executable due to COM object handling.\u003c/li\u003e\n\u003cli\u003eThe malicious executable executes with elevated privileges, bypassing UAC prompts.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages elevated privileges to perform malicious activities, such as installing malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence to maintain elevated access across system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this UAC bypass technique allows attackers to execute arbitrary code with elevated privileges, bypassing security controls designed to prevent unauthorized system modifications. This can lead to the installation of malware, data theft, or complete system compromise. The severity of the impact is high, as it grants attackers significant control over the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer\u0026rdquo; to your SIEM to detect potential UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary events for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process execution from temporary directories, specifically those matching the pattern \u003ccode\u003eC:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eieinstal.exe\u003c/code\u003e being executed with the \u003ccode\u003e-Embedding\u003c/code\u003e argument, as this is a key indicator of the UAC bypass attempt.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-uac-bypass-ieinstal/","summary":"This threat brief details a UAC bypass technique leveraging the Internet Explorer Add-On Installer (ieinstal.exe) and Component Object Model (COM) to execute arbitrary code with elevated privileges.","title":"UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer","url":"https://feed.craftedsignal.io/briefs/2024-01-03-uac-bypass-ieinstal/"}],"language":"en","title":"CraftedSignal Threat Feed — Com","version":"https://jsonfeed.org/version/1.1"}