Suspicious Execution from INET Cache
Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/02/14"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious
13content via WININET during initial access.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Execution from INET Cache"
20references = [
21"https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html"
22]
23risk_score = 73
24rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78"
25severity = "high"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31process where host.os.type == "windows" and event.type == "start" and
32 process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
33 (process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
34 process.executable : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*")
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1566"
42name = "Phishing"
43reference = "https://attack.mitre.org/techniques/T1566/"
44[[rule.threat.technique.subtechnique]]
45id = "T1566.001"
46name = "Spearphishing Attachment"
47reference = "https://attack.mitre.org/techniques/T1566/001/"
48
49
50[rule.threat.tactic]
51id = "TA0001"
52name = "Initial Access"
53reference = "https://attack.mitre.org/tactics/TA0001/"
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1105"
60name = "Ingress Tool Transfer"
61reference = "https://attack.mitre.org/techniques/T1105/"
62
63
64[rule.threat.tactic]
65id = "TA0011"
66name = "Command and Control"
67reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability CVE-2024-21412 in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
Read More
Related rules
- Command Execution via SolarWinds Process
- First Time Seen Removable Device
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files
- Microsoft Exchange Worker Spawning Suspicious Processes