Suspicious Execution from INET Cache
Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/02/14"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/10/31"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious
13content via WININET during initial access.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Suspicious Execution from INET Cache"
30references = [
31 "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html",
32]
33risk_score = 73
34rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78"
35severity = "high"
36tags = [
37 "Domain: Endpoint",
38 "OS: Windows",
39 "Use Case: Threat Detection",
40 "Tactic: Initial Access",
41 "Tactic: Command and Control",
42 "Data Source: Elastic Endgame",
43 "Data Source: Elastic Defend",
44 "Data Source: System",
45 "Data Source: Microsoft Defender for Endpoint",
46 "Data Source: Sysmon",
47 "Data Source: SentinelOne",
48 "Data Source: Crowdstrike",
49]
50timestamp_override = "event.ingested"
51type = "eql"
52
53query = '''
54process where host.os.type == "windows" and event.type == "start" and
55 process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
56 (
57 process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
58 process.executable : (
59 "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*",
60 "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"
61 )
62 )
63'''
64
65
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1566"
70name = "Phishing"
71reference = "https://attack.mitre.org/techniques/T1566/"
72[[rule.threat.technique.subtechnique]]
73id = "T1566.001"
74name = "Spearphishing Attachment"
75reference = "https://attack.mitre.org/techniques/T1566/001/"
76
77
78
79[rule.threat.tactic]
80id = "TA0001"
81name = "Initial Access"
82reference = "https://attack.mitre.org/tactics/TA0001/"
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1105"
87name = "Ingress Tool Transfer"
88reference = "https://attack.mitre.org/techniques/T1105/"
89
90
91[rule.threat.tactic]
92id = "TA0011"
93name = "Command and Control"
94reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability CVE-2024-21412 in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
Read More
Related rules
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Suspicious MS Office Child Process
- Command Execution via SolarWinds Process
- Potential Foxmail Exploitation
- Suspicious PDF Reader Child Process