Potential Command and Control via Internet Explorer

  1[metadata]
  2creation_date = "2020/11/28"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making
 11unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making
 12network connections and bypass host-based firewall restrictions.
 13"""
 14false_positives = ["Processes such as MS Office using IEproxy to render HTML content."]
 15from = "now-9m"
 16index = ["logs-endpoint.events.library-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Potential Command and Control via Internet Explorer"
 20risk_score = 47
 21rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Command and Control",
 28    "Data Source: Elastic Defend",
 29    "Resources: Investigation Guide",
 30]
 31type = "eql"
 32
 33query = '''
 34sequence by host.id, user.name with maxspan = 5s
 35  [library where host.os.type == "windows" and dll.name : "IEProxy.dll" and process.name : ("rundll32.exe", "regsvr32.exe")]
 36  [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "iexplore.exe" and process.parent.args : "-Embedding"]
 37  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */
 38  [network where host.os.type == "windows" and network.protocol == "dns" and process.name : "iexplore.exe" and
 39   not dns.question.name :
 40   (
 41    "*.microsoft.com",
 42    "*.digicert.com",
 43    "*.msocsp.com",
 44    "*.windowsupdate.com",
 45    "*.bing.com",
 46    "*.identrust.com",
 47    "*.sharepoint.com",
 48    "*.office365.com",
 49    "*.office.com"
 50    )
 51  ] /* with runs=5 */
 52'''
 53note = """## Triage and analysis
 54
 55> **Disclaimer**:
 56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 57
 58### Investigating Potential Command and Control via Internet Explorer
 59
 60Internet Explorer can be manipulated via the Component Object Model (COM) to initiate network connections, potentially bypassing security measures. Adversaries exploit this by embedding IE in processes like rundll32.exe, making it appear benign. The detection rule identifies unusual DNS queries from IE, excluding common Microsoft domains, to flag suspicious activity indicative of command and control attempts.
 61
 62### Possible investigation steps
 63
 64- Review the alert details to identify the specific host and user associated with the suspicious activity, focusing on the host.id and user.name fields.
 65- Examine the process tree on the affected host to confirm if Internet Explorer (iexplore.exe) was indeed started via COM, specifically looking for the parent process rundll32.exe or regsvr32.exe with IEProxy.dll loaded.
 66- Analyze the DNS queries made by Internet Explorer to identify any unusual or suspicious domains that are not part of the common Microsoft or OCSP-related domains listed in the exclusion list.
 67- Check the network connections initiated by Internet Explorer to determine if there are any unexpected or unauthorized external IP addresses or domains being contacted.
 68- Investigate the context and timing of the alert by correlating it with other security events or logs from the same host or user to identify any patterns or additional indicators of compromise.
 69- Assess the risk and potential impact of the detected activity by considering the severity of the alert and any additional findings from the investigation steps above.
 70
 71### False positive analysis
 72
 73- Internet Explorer may make legitimate DNS queries to domains not listed in the exclusion list, such as those related to third-party services or internal company resources. Users should monitor and identify these domains and consider adding them to the exclusion list if they are verified as non-threatening.
 74- Some enterprise environments may use custom applications that leverage Internet Explorer via COM for legitimate purposes. In such cases, users should identify these applications and create exceptions for their associated processes to prevent false positives.
 75- Regular updates or patches from non-Microsoft sources might trigger alerts if they use Internet Explorer for network connections. Users should verify the legitimacy of these updates and adjust the exclusion list accordingly.
 76- Internal network monitoring tools or scripts that use Internet Explorer for testing or monitoring purposes could be flagged. Users should document these tools and exclude their associated network activities from the detection rule.
 77- If a specific user or department frequently triggers alerts due to legitimate use of Internet Explorer, consider creating user or department-specific exceptions to reduce noise while maintaining security oversight.
 78
 79### Response and remediation
 80
 81- Isolate the affected host from the network immediately to prevent further command and control communication and potential data exfiltration.
 82- Terminate the Internet Explorer process (iexplore.exe) and any associated processes like rundll32.exe or regsvr32.exe that are identified as suspicious.
 83- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to identify and remove any malicious software or scripts.
 84- Review and analyze the DNS query logs to identify any other potentially compromised hosts within the network that may have communicated with the same suspicious domains.
 85- Restore the affected system from a known good backup if malware is confirmed and cannot be fully removed, ensuring that the backup is free from compromise.
 86- Implement network-level controls to block the identified suspicious domains and IP addresses to prevent future communication attempts.
 87- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1071"
 94name = "Application Layer Protocol"
 95reference = "https://attack.mitre.org/techniques/T1071/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0011"
100name = "Command and Control"
101reference = "https://attack.mitre.org/tactics/TA0011/"
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1559"
106name = "Inter-Process Communication"
107reference = "https://attack.mitre.org/techniques/T1559/"
108[[rule.threat.technique.subtechnique]]
109id = "T1559.001"
110name = "Component Object Model"
111reference = "https://attack.mitre.org/techniques/T1559/001/"
112
113
114
115[rule.threat.tactic]
116id = "TA0002"
117name = "Execution"
118reference = "https://attack.mitre.org/tactics/TA0002/"