Suspicious Execution from INET Cache

  1[metadata]
  2creation_date = "2024/02/14"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious
 11content via WININET during initial access.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Suspicious Execution from INET Cache"
 28references = [
 29    "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html",
 30]
 31risk_score = 73
 32rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78"
 33severity = "high"
 34tags = [
 35    "Domain: Endpoint",
 36    "OS: Windows",
 37    "Use Case: Threat Detection",
 38    "Tactic: Initial Access",
 39    "Data Source: Elastic Endgame",
 40    "Data Source: Elastic Defend",
 41    "Data Source: Windows Security Event Logs",
 42    "Data Source: Microsoft Defender XDR",
 43    "Data Source: Sysmon",
 44    "Data Source: SentinelOne",
 45    "Data Source: Crowdstrike",
 46    "Resources: Investigation Guide",
 47]
 48timestamp_override = "event.ingested"
 49type = "eql"
 50
 51query = '''
 52process where host.os.type == "windows" and event.type == "start" and
 53  process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
 54  (
 55    process.args : "*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
 56    process.executable : (
 57      "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*",
 58
 59      /* Crowdstrike specific condition as it uses NT Object paths */
 60      "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"
 61    )
 62  ) and
 63  not process.executable : (
 64        "?:\\Program Files\\*.exe",
 65        "?:\\Program Files (x86)\\*.exe",
 66        "?:\\Windows\\System32\\mspaint.exe",
 67        "?:\\Windows\\System32\\notepad.exe",
 68
 69        /* Crowdstrike specific exclusion as it uses NT Object paths */
 70        "\\Device\\HarddiskVolume*\\Program Files\\*.exe",
 71        "\\Device\\HarddiskVolume*\\Program Files (x86)\\*.exe",
 72        "\\Device\\HarddiskVolume*\\Windows\\System32\\mspaint.exe",
 73        "\\Device\\HarddiskVolume*\\Windows\\System32\\notepad.exe"
 74  )
 75'''
 76
 77note = """## Triage and analysis
 78
 79### Investigating Suspicious Execution from INET Cache
 80
 81#### Possible investigation steps
 82
 83- Did the alert execute a payload from INetCache, or did another process only reference cached content?
 84  - Focus: `process.executable` and `process.command_line`, checking whether `AppData\\Local\\Microsoft\\Windows\\INetCache\\IE` or `\\Device\\HarddiskVolume*\\Users\\*\\INetCache\\IE` is the image path, loader input, or only a document/image argument.
 85  - Implication: escalate faster when the image runs from cache or feeds cached script, archive, shortcut, or DLL content to a loader; lower suspicion when the cache path is only a file argument to a recognized viewer and later lineage shows no execution.
 86
 87- Does identity and launch context fit a recognized file-opening, archive, or installer workflow?
 88  - Focus: `process.hash.sha256`, `process.code_signature.subject_name`, `process.code_signature.trusted`, `process.parent.executable`, and `process.parent.command_line`.
 89  - Implication: escalate when identity, signer, path, or parent command line conflicts with Explorer/archive-manager file handling; lower suspicion only when identity and launcher context fit one coherent workflow. Identity alone does not clear cache execution.
 90
 91- Do launcher-scoped file events show a downloaded or disguised lure chain?
 92  - Why: parent-scoped provenance distinguishes routine cache use from shortcut, archive, script, or DLL handoff.
 93  - Focus: file events from the parent launcher via `process.parent.entity_id`; fallback to `host.id` plus parent PID and alert time, checking `file.path`, `file.origin_url`, `file.origin_referrer_url`, `file.Ext.windows.zone_identifier`, and `file.Ext.original.extension`. $investigate_0
 94  - Implication: escalate when provenance shows internet delivery, deceptive extensions, shortcut-to-archive/script transitions, or renamed cache payloads. Missing file telemetry is unresolved, not benign.
 95
 96- Do process-scoped DNS or connection events show delivery or follow-on infrastructure?
 97  - Why: network evidence separates local file-opening from remote retrieval, payload transfer, or follow-on command and control.
 98  - Focus: DNS and connection events from `process.entity_id`; fallback to `host.id` plus `process.pid` and alert time, checking DNS `dns.question.name` and `dns.resolved_ip` plus connection `destination.ip` and `destination.port`. $investigate_1
 99  - Hint: compare `lookup_result` DNS `dns.resolved_ip` values to connection `destination.ip` before judging infrastructure.
100  - Implication: escalate when the process reaches rare external, WebDAV-like, dotted-quad, or payload-transfer destinations that do not match file provenance; lower suspicion when destinations align with the same recognized vendor workflow. Missing network telemetry is unresolved, not benign.
101
102- Did the cached content lead to script, archive, DLL, or staged executable execution?
103  - Focus: child starts where `process.parent.entity_id` matches `process.entity_id`, checking child `process.name`, `process.executable`, and `process.command_line`. $investigate_2
104  - Hint: if entity IDs are unavailable, use parent PID plus alert time as a weaker fallback.
105  - Implication: escalate when the chain quickly launches "cmd.exe", "powershell.exe", "rundll32.exe", "mshta.exe", "wscript.exe", "cscript.exe", or another staged executable; lower suspicion when the lineage stops at the original viewer, archiver, or installer.
106
107- If local evidence remains suspicious or unresolved after lineage review, is the same user or host part of broader delivery activity?
108  - Focus: `host.id`, `user.id`, and related alerts that repeat the same cache-path role, parent launcher, child-process family, recovered destination, or provenance pattern.
109  - Hint: pivot same-user alerts. $investigate_3
110  - Hint: pivot same-host alerts. $investigate_4
111  - Implication: broaden containment when related alerts show the same lure or delivery pattern across the user or host; skip broadening when local evidence supports a coherent benign workflow or single-host containment.
112
113- Escalate on disguised/downloaded cache execution, loader handoff, suspicious infrastructure, or broader delivery; close only when process evidence and recovery bind one coherent benign workflow with no contradictions; when evidence is mixed or visibility incomplete, preserve artifacts and escalate.
114
115### False positive analysis
116
117- Browser-driven installers, vendor updaters, and archive-based delivery can launch signed helpers from cache or reference cached installer content. Confirm `process.executable`, hash/signer, parent executable/command line, `user.id`, and `host.id` align with one recognized vendor workflow, and recovered provenance/destinations do not contradict it. Without deployment records, require recurring signer or hash, parent workflow, account, and host pattern without loader children or unrelated external delivery.
118- Archive preview, document viewing, or browser-open workflows can reference cached paths without executing a cached payload. Confirm `process.command_line` uses the cache path as a document, image, or shortcut argument, the parent workflow is stable for `user.id` and `host.id`, and recovered file, network, and child-process evidence lacks `.url/.lnk`, `.cmd/.bat/.js/.hta`, archive-to-script, or DLL-loader transitions.
119- Before creating an exception, validate recurrence across prior alerts from this rule with stable `process.executable`, signer or hash, `process.parent.executable`, cache-path role, `user.id`, and `host.id`. Avoid exceptions on INetCache alone, Explorer alone, archive-manager name alone, or a user alone.
120
121### Response and remediation
122
123- If confirmed benign, reverse temporary containment and record the process identity, command line, parent workflow, account, host, and any recovered provenance or destination evidence that proved the benign workflow. Create an exception only for the recurring signer or hash, cache-path role, parent workflow, `user.id`, and `host.id` combination.
124- If suspicious but unconfirmed, preserve `process.entity_id`, `process.command_line`, parent/child lineage, runtime hash and signer, payload files, origin/referrer URLs, DNS names, destination IPs/ports, and related alert IDs before containment. Apply reversible containment first, such as temporary destination blocking or heightened monitoring for the affected `host.id` and `user.id`; isolate only when loader execution or network evidence suggests active payload delivery or command and control.
125- If confirmed malicious, preserve the same process, file, and network artifacts before destructive action. Isolate the endpoint when host criticality permits, block confirmed malicious domains, destinations, and hashes, collect suspicious payloads, then terminate processes or delete files only after scope and evidence capture are complete.
126- Eradicate only the shortcut, script, archive, DLL, extracted payload, startup item, or persistence artifact identified during the investigation. Verify the original browser-download, archive, WebDAV-like, or cache delivery path no longer reaches the host.
127- Post-incident hardening: retain the evidence set that proved the case, review SmartScreen, Mark-of-the-Web, WebDAV, archive-handling, and web-download controls for the affected host class, and record adjacent variants such as disguised `.url` lures, archive-extracted scripts, or cache-based DLL launchers in the case notes.
128"""
129
130setup = """## Setup
131
132This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
133
134Setup instructions: https://ela.st/install-elastic-defend
135
136### Additional data sources
137
138This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
139
140- [CrowdStrike](https://ela.st/crowdstrike-integration)
141- [Microsoft Defender XDR](https://ela.st/m365-defender)
142- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
143- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
144- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
145"""
146
147[rule.investigation_fields]
148field_names = [
149    "@timestamp",
150    "host.id",
151    "user.id",
152    "process.entity_id",
153    "process.pid",
154    "process.executable",
155    "process.command_line",
156    "process.hash.sha256",
157    "process.code_signature.subject_name",
158    "process.code_signature.trusted",
159    "process.parent.entity_id",
160    "process.parent.pid",
161    "process.parent.executable",
162    "process.parent.command_line",
163    "process.parent.args",
164]
165
166[transform]
167
168[[transform.investigate]]
169label = "File events for the launcher process"
170description = ""
171providers = [
172  [
173    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
174    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" },
175    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
176  ],
177  [
178    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
179    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.parent.pid}}", valueType = "string" },
180    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
181  ]
182]
183relativeFrom = "now-1h"
184relativeTo = "now"
185
186[[transform.investigate]]
187label = "Network events for the executed process"
188description = ""
189providers = [
190  [
191    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
192    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
193    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
194  ],
195  [
196    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
197    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
198    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
199  ]
200]
201relativeFrom = "now-1h"
202relativeTo = "now"
203
204[[transform.investigate]]
205label = "Child process starts from the cached-content process"
206description = ""
207providers = [
208  [
209    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
210    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
211    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
212    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
213  ],
214  [
215    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
216    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
217    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
218    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
219  ]
220]
221relativeFrom = "now-1h"
222relativeTo = "now"
223
224[[transform.investigate]]
225label = "Alerts associated with the user"
226description = ""
227providers = [
228  [
229    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
230    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
231  ]
232]
233relativeFrom = "now-48h/h"
234relativeTo = "now"
235
236[[transform.investigate]]
237label = "Alerts associated with the host"
238description = ""
239providers = [
240  [
241    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
242    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
243  ]
244]
245relativeFrom = "now-48h/h"
246relativeTo = "now"
247
248[[rule.threat]]
249framework = "MITRE ATT&CK"
250
251[[rule.threat.technique]]
252id = "T1566"
253name = "Phishing"
254reference = "https://attack.mitre.org/techniques/T1566/"
255
256[[rule.threat.technique.subtechnique]]
257id = "T1566.001"
258name = "Spearphishing Attachment"
259reference = "https://attack.mitre.org/techniques/T1566/001/"
260
261[rule.threat.tactic]
262id = "TA0001"
263name = "Initial Access"
264reference = "https://attack.mitre.org/tactics/TA0001/"
265
266[[rule.threat]]
267framework = "MITRE ATT&CK"
268
269[[rule.threat.technique]]
270id = "T1105"
271name = "Ingress Tool Transfer"
272reference = "https://attack.mitre.org/techniques/T1105/"
273
274[rule.threat.tactic]
275id = "TA0011"
276name = "Command and Control"
277reference = "https://attack.mitre.org/tactics/TA0011/"
278
279[[rule.threat]]
280framework = "MITRE ATT&CK"
281
282[[rule.threat.technique]]
283id = "T1204"
284name = "User Execution"
285reference = "https://attack.mitre.org/techniques/T1204/"
286
287[[rule.threat.technique.subtechnique]]
288id = "T1204.002"
289name = "Malicious File"
290reference = "https://attack.mitre.org/techniques/T1204/002/"
291
292[rule.threat.tactic]
293id = "TA0002"
294name = "Execution"
295reference = "https://attack.mitre.org/tactics/TA0002/"