Suspicious Execution from INET Cache
Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/02/14"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious
11content via WININET during initial access.
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-windows.*",
18 "endgame-*",
19 "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Suspicious Execution from INET Cache"
24references = [
25 "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html",
26]
27risk_score = 73
28rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78"
29severity = "high"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Initial Access",
35 "Tactic: Command and Control",
36 "Data Source: Elastic Endgame",
37 "Data Source: Elastic Defend",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where host.os.type == "windows" and event.type == "start" and
44 process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
45 (process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
46 process.executable : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*")
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1566"
54name = "Phishing"
55reference = "https://attack.mitre.org/techniques/T1566/"
56[[rule.threat.technique.subtechnique]]
57id = "T1566.001"
58name = "Spearphishing Attachment"
59reference = "https://attack.mitre.org/techniques/T1566/001/"
60
61
62
63[rule.threat.tactic]
64id = "TA0001"
65name = "Initial Access"
66reference = "https://attack.mitre.org/tactics/TA0001/"
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1105"
71name = "Ingress Tool Transfer"
72reference = "https://attack.mitre.org/techniques/T1105/"
73
74
75[rule.threat.tactic]
76id = "TA0011"
77name = "Command and Control"
78reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability CVE-2024-21412 in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
Read More
Related rules
- Command Execution via SolarWinds Process
- First Time Seen Commonly Abused Remote Access Tool Execution
- First Time Seen Removable Device
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files