Detectioncriticaltest

Potential DCOM InternetExplorer.Application DLL Hijack

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR), waggaCreated Mon Oct 12Updated Sun Dec 182f7979ae-f82b-45af-ac1d-2b10e93b0baawindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image: System
        TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

threathunterplaybook.com

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Sub-techniques

T1021.002 · SMB/Windows Admin Shares T1021.003 · Distributed Component Object Model

Related Rules

Similar

e554f142-5cf3-4e55-ace9-a1b59e0def65

Rule not found

SimilarDetectioncritical

Potential DCOM InternetExplorer.Application DLL Hijack - Image Load

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

2f7979ae-f82b-45af-ac1d-2b10e93b0baa

Status

test

Level

critical

Type

Detection

Created

Mon Oct 12

Modified

Sun Dec 18

Author

Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR), wagga

Path

rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml

Raw Tags

attack.lateral-movementattack.t1021.002attack.t1021.003

View on GitHub