Suspicious Execution from INET Cache

Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/02/14"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious
 13content via WININET during initial access.
 14"""
 15from = "now-9m"
 16index = [
 17    "winlogbeat-*",
 18    "logs-endpoint.events.process-*",
 19    "logs-windows.forwarded*",
 20    "logs-windows.sysmon_operational-*",
 21    "endgame-*",
 22    "logs-system.security*",
 23    "logs-m365_defender.event-*",
 24    "logs-sentinel_one_cloud_funnel.*",
 25    "logs-crowdstrike.fdr*",
 26]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "Suspicious Execution from INET Cache"
 30references = [
 31    "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html",
 32]
 33risk_score = 73
 34rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78"
 35severity = "high"
 36tags = [
 37    "Domain: Endpoint",
 38    "OS: Windows",
 39    "Use Case: Threat Detection",
 40    "Tactic: Initial Access",
 41    "Tactic: Command and Control",
 42    "Data Source: Elastic Endgame",
 43    "Data Source: Elastic Defend",
 44    "Data Source: System",
 45    "Data Source: Microsoft Defender for Endpoint",
 46    "Data Source: Sysmon",
 47    "Data Source: SentinelOne",
 48    "Data Source: Crowdstrike",
 49    "Resources: Investigation Guide",
 50]
 51timestamp_override = "event.ingested"
 52type = "eql"
 53
 54query = '''
 55process where host.os.type == "windows" and event.type == "start" and
 56  process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
 57  (
 58    process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
 59    process.executable : (
 60      "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*",
 61      "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"
 62    )
 63  )
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating Suspicious Execution from INET Cache
 71
 72The INetCache folder stores temporary internet files, which can be exploited by adversaries to execute malicious payloads delivered via WININET. Attackers may disguise malware as legitimate files cached during browsing. The detection rule identifies suspicious processes initiated from this cache, especially when launched by common file explorers, signaling potential initial access or command and control activities.
 73
 74### Possible investigation steps
 75
 76- Review the process details to confirm the executable path and arguments match the INetCache folder pattern specified in the query.
 77- Identify the parent process, such as explorer.exe, winrar.exe, 7zFM.exe, or Bandizip.exe, to determine if the process launch is consistent with typical user behavior or potentially malicious activity.
 78- Check the user account associated with the process to assess if the activity aligns with the user's normal behavior or if the account may be compromised.
 79- Investigate the file in the INetCache directory for known malware signatures or anomalies using antivirus or endpoint detection tools.
 80- Analyze network activity from the host to identify any suspicious connections that may indicate command and control communication.
 81- Correlate the event with other security alerts or logs to identify patterns or additional indicators of compromise related to the initial access or command and control tactics.
 82
 83### False positive analysis
 84
 85- Legitimate software updates or installations may temporarily use the INetCache folder for storing executable files. Users can create exceptions for known update processes by identifying their specific executable paths and excluding them from the rule.
 86- Some browser extensions or plugins might cache executable files in the INetCache folder during normal operations. Users should monitor and whitelist these extensions if they are verified as safe and frequently trigger alerts.
 87- Automated scripts or tools that interact with web content might inadvertently store executables in the INetCache folder. Users can adjust the rule to exclude these scripts by specifying their parent process names or paths.
 88- Certain enterprise applications may use the INetCache folder for legitimate purposes. Users should collaborate with IT departments to identify these applications and configure exceptions based on their unique process signatures.
 89- Regularly review and update the list of excluded processes to ensure that only verified and non-threatening activities are exempt from triggering alerts.
 90
 91### Response and remediation
 92
 93- Isolate the affected system from the network to prevent further communication with potential command and control servers.
 94- Terminate any suspicious processes identified as originating from the INetCache folder to halt any ongoing malicious activity.
 95- Delete any malicious files found within the INetCache directory to remove the immediate threat.
 96- Conduct a full antivirus and antimalware scan on the affected system to identify and remove any additional threats.
 97- Review and analyze recent email logs and web browsing history to identify potential phishing attempts or malicious downloads that may have led to the initial compromise.
 98- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 99- Implement enhanced monitoring and logging for the INetCache directory and related processes to detect similar threats in the future."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1566"
106name = "Phishing"
107reference = "https://attack.mitre.org/techniques/T1566/"
108[[rule.threat.technique.subtechnique]]
109id = "T1566.001"
110name = "Spearphishing Attachment"
111reference = "https://attack.mitre.org/techniques/T1566/001/"
112
113
114
115[rule.threat.tactic]
116id = "TA0001"
117name = "Initial Access"
118reference = "https://attack.mitre.org/tactics/TA0001/"
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1105"
123name = "Ingress Tool Transfer"
124reference = "https://attack.mitre.org/techniques/T1105/"
125
126
127[rule.threat.tactic]
128id = "TA0011"
129name = "Command and Control"
130reference = "https://attack.mitre.org/tactics/TA0011/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Suspicious Execution from INET Cache

The INetCache folder stores temporary internet files, which can be exploited by adversaries to execute malicious payloads delivered via WININET. Attackers may disguise malware as legitimate files cached during browsing. The detection rule identifies suspicious processes initiated from this cache, especially when launched by common file explorers, signaling potential initial access or command and control activities.

Possible investigation steps

  • Review the process details to confirm the executable path and arguments match the INetCache folder pattern specified in the query.
  • Identify the parent process, such as explorer.exe, winrar.exe, 7zFM.exe, or Bandizip.exe, to determine if the process launch is consistent with typical user behavior or potentially malicious activity.
  • Check the user account associated with the process to assess if the activity aligns with the user's normal behavior or if the account may be compromised.
  • Investigate the file in the INetCache directory for known malware signatures or anomalies using antivirus or endpoint detection tools.
  • Analyze network activity from the host to identify any suspicious connections that may indicate command and control communication.
  • Correlate the event with other security alerts or logs to identify patterns or additional indicators of compromise related to the initial access or command and control tactics.

False positive analysis

  • Legitimate software updates or installations may temporarily use the INetCache folder for storing executable files. Users can create exceptions for known update processes by identifying their specific executable paths and excluding them from the rule.
  • Some browser extensions or plugins might cache executable files in the INetCache folder during normal operations. Users should monitor and whitelist these extensions if they are verified as safe and frequently trigger alerts.
  • Automated scripts or tools that interact with web content might inadvertently store executables in the INetCache folder. Users can adjust the rule to exclude these scripts by specifying their parent process names or paths.
  • Certain enterprise applications may use the INetCache folder for legitimate purposes. Users should collaborate with IT departments to identify these applications and configure exceptions based on their unique process signatures.
  • Regularly review and update the list of excluded processes to ensure that only verified and non-threatening activities are exempt from triggering alerts.

Response and remediation

  • Isolate the affected system from the network to prevent further communication with potential command and control servers.
  • Terminate any suspicious processes identified as originating from the INetCache folder to halt any ongoing malicious activity.
  • Delete any malicious files found within the INetCache directory to remove the immediate threat.
  • Conduct a full antivirus and antimalware scan on the affected system to identify and remove any additional threats.
  • Review and analyze recent email logs and web browsing history to identify potential phishing attempts or malicious downloads that may have led to the initial compromise.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
  • Implement enhanced monitoring and logging for the INetCache directory and related processes to detect similar threats in the future.

References

Related rules

to-top