Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

DCOM InternetExplorer.Application Iertutil DLL Hijack - Security

Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR)Created Mon Oct 12Updated Sat Nov 26c39f0c81-7348-4965-ab27-2fde35a1b641windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 5145
        RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
threathunterplaybook.com
MITRE ATT&CK
Rule Metadata
Rule ID
c39f0c81-7348-4965-ab27-2fde35a1b641
Status
test
Level
high
Type
Detection
Created
Mon Oct 12
Modified
Sat Nov 26
Author
Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR)
Path
rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml
Raw Tags
attack.lateral-movementattack.t1021.002attack.t1021.003
View on GitHub