Detectioncriticaltest

Potential DCOM InternetExplorer.Application DLL Hijack - Image Load

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR), waggaCreated Mon Oct 12Updated Sun Dec 18f354eba5-623b-450f-b073-0b5b2773b6aawindows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith: '\Internet Explorer\iexplore.exe'
        ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

threathunterplaybook.com

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Sub-techniques

T1021.002 · SMB/Windows Admin Shares T1021.003 · Distributed Component Object Model

Related Rules

Similar

e554f142-5cf3-4e55-ace9-a1b59e0def65

Rule not found

SimilarDetectioncritical

Potential DCOM InternetExplorer.Application DLL Hijack

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

f354eba5-623b-450f-b073-0b5b2773b6aa

Status

test

Level

critical

Type

Detection

Created

Mon Oct 12

Modified

Sun Dec 18

Author

Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR), wagga

Path

rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml

Raw Tags

attack.lateral-movementattack.t1021.002attack.t1021.003

View on GitHub