Potential CVE-2025-33053 Exploitation

  1[metadata]
  2creation_date = "2025/06/11"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies Internet Explorer Diagnostics launching a helper name from a non-System32 path, which may indicate
 11CVE-2025-33053 exploitation.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "winlogbeat-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Potential CVE-2025-33053 Exploitation"
 25references = [
 26     "https://research.checkpoint.com/2025/stealth-falcon-zero-day/", 
 27     "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053",
 28]
 29risk_score = 73
 30rule_id = "5e23495f-09e2-4484-8235-bdb150d698c9"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Initial Access",
 37    "Data Source: Elastic Endgame",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Sysmon",
 40    "Data Source: Microsoft Defender XDR",
 41    "Data Source: SentinelOne",
 42    "Resources: Investigation Guide",
 43]
 44timestamp_override = "event.ingested"
 45type = "eql"
 46
 47query = '''
 48process where host.os.type == "windows" and event.type == "start" and
 49  process.parent.executable : "C:\\Program Files\\Internet Explorer\\iediagcmd.exe" and
 50  process.name : ("route.exe", "netsh.exe", "ipconfig.exe", "dxdiag.exe", "conhost.exe", "makecab.exe") and
 51  process.executable != null and
 52  not process.executable : ("C:\\Windows\\System32\\route.exe",
 53                            "C:\\Windows\\System32\\netsh.exe",
 54                            "C:\\Windows\\System32\\ipconfig.exe",
 55                            "C:\\Windows\\System32\\dxdiag.exe",
 56                            "C:\\Windows\\System32\\conhost.exe",
 57                            "C:\\Windows\\System32\\makecab.exe")
 58'''
 59
 60note = """## Triage and analysis
 61
 62### Investigating Potential CVE-2025-33053 Exploitation
 63
 64#### Possible investigation steps
 65
 66- Does the alert show "iediagcmd.exe" launching a non-system helper?
 67  - Focus: `process.parent.executable`, `process.name`, `process.executable`, and `process.command_line`; check for WebDAV, UNC, temp, downloads, archive-extracted, or user-writable helper paths.
 68  - Implication: escalate when the helper name matches a diagnostics utility but `process.executable` is outside "C:\\Windows\\System32\\" or points to remote/user-writable content; lower suspicion only when the path is a controlled diagnostic harness bounded to this `host.id` and `user.id`.
 69- Does child identity fit the claimed system utility?
 70  - Focus: `process.executable`, `process.pe.original_file_name`, `process.hash.sha256`, `process.code_signature.subject_name`, and `process.code_signature.trusted`.
 71  - Implication: escalate when the child is unsigned, newly seen, remotely hosted, user-writable, or PE metadata mismatches the helper name; a trusted signer/familiar name confirms identity only, not benign "iediagcmd.exe" use.
 72- Does parent/session context fit user-triggered execution?
 73  - Focus: `process.parent.command_line`, `process.Ext.session_info.logon_type`, and `user.id`.
 74  - Hint: inspect `process.Ext.ancestry` only when direct parent/child context is incomplete.
 75  - Implication: escalate when the parent command line/ancestry points to a shortcut, archive, browser, mail client, or document-open path in an interactive user session; lower suspicion when parent/session evidence stays inside a controlled diagnostic or authorized test launch path.
 76- If file telemetry is available, did the lure or child stage follow-on artifacts?
 77  - Focus: recover file events with `host.id` + `process.entity_id`; if absent, use `host.id` + `process.pid` in the alert window. Review `file.name`, `file.path`, `file.origin_url`, and `file.Ext.windows.zone_identifier` for ".url" lures, archive extraction, decoy PDFs, copied helpers, DLLs, or payloads. $investigate_0
 78  - Hint: if the child writes a file, check later starts where `process.executable` equals `file.path`.
 79  - Implication: escalate on internet provenance, WebDAV/UNC lure paths, decoys, copied utilities, DLLs, or written artifacts later executed; missing file telemetry is unresolved, not benign.
 80- If DNS/connection telemetry is available, did the child contact a remote share or callback?
 81  - Focus: recover network events with `host.id` + `process.entity_id`; if absent, use `host.id` + `process.pid` in the alert window. Separate DNS `dns.question.name`/`dns.resolved_ip` from connection `destination.ip`/`destination.port`. $investigate_1
 82  - Hint: map "lookup_result" `dns.question.name` to `dns.resolved_ip`, then compare with `destination.ip` and any remote host from the helper path or lure.
 83  - Implication: escalate when the child reaches a remote-share host, rare public destination, or later C2-like infrastructure unrelated to diagnostics; missing DNS/connection telemetry is unresolved, not benign.
 84- Do descendants or siblings show cleanup, decoy opening, or payload execution?
 85  - Focus: later process starts on the same `host.id`, using direct `process.parent.entity_id` links first; review `process.executable`, `process.command_line`, `process.Ext.created_suspended`, and signer context. $investigate_2
 86  - Hint: use PID matching only in a tight alert-time window, and inspect `process.Ext.ancestry` only when direct lineage is incomplete.
 87  - Implication: escalate when the chain launches "taskkill.exe", opens a decoy through "cmd.exe", starts a browser from an abnormal path, creates a suspended process, or runs unsigned follow-on payloads; keep host-local only when no follow-on evidence contradicts a bounded diagnostic or test path.
 88- If local evidence is suspicious or incomplete, do related alerts show broader delivery or post-exploitation?
 89  - Focus: review same-`user.id` alerts over 48 hours for the same lure, proxy-execution, payload, or C2 pattern. $investigate_3
 90  - Hint: if the user scope is sparse or shared, compare same-`host.id` alerts for the same ".url", WebDAV, child hash, or payload pattern. $investigate_4
 91  - Implication: expand response scope when related alerts show the same lure, remote working directory, payload, or post-exploitation pattern; keep response host-local only when related alerts are absent and local telemetry fully explains one recognized workflow.
 92- What disposition do helper-path, identity, launch, artifact, network, descendant, and related-alert findings support?
 93  - Implication: escalate on remote working-directory abuse, lure delivery, payload staging, suspicious destinations, cleanup, or broader compromise; close only when process, artifact, network, descendant, and alert-scope evidence bind one recognized diagnostic or authorized test workflow; preserve and escalate on incomplete or mixed visibility.
 94
 95### False positive analysis
 96
 97- Routine diagnostics resolve helpers from "C:\\Windows\\System32\\". Treat helper execution from WebDAV, UNC, temp, downloads, or archive paths as an operational anti-pattern unless telemetry proves a controlled harness or authorized exploit test: child identity (`process.executable`, `process.hash.sha256`, signer, `process.command_line`), parent launch context, `user.id`, `host.id`, and ".url", file-provenance, DNS, or destination evidence stay inside the same bounded workflow; use testing records only to corroborate telemetry.
 98- Before exceptions, validate the minimum recurring pattern: child path or hash, signer, command line, `process.parent.executable`, `user.id`, `host.id`, and bounded lure or destination pattern. Avoid exceptions on "iediagcmd.exe", `process.name`, helper basename, or `host.id` alone because those fields also match malicious working-directory hijack chains.
 99
100### Response and remediation
101
102- If confirmed benign, reverse containment and document the exact child path/hash, command line, parent launch context, `user.id`, `host.id`, and lure or destination evidence proving the diagnostic or testing workflow. Create an exception only for that recurring bounded pattern.
103- If suspicious but unconfirmed, preserve a case export of the alert, parent/child process details, suspicious helper binary, ".url" or archive artifacts, file-provenance records, DNS/connection records, and descendant process evidence before containment. Apply reversible containment first: block the confirmed WebDAV or callback destination, remove remote-share access, or raise monitoring on `host.id`; isolate only when artifact, network, or descendant evidence shows active compromise and the host role can tolerate disruption.
104- If confirmed malicious, isolate the host or terminate the malicious child and confirmed descendants only after recording process entity IDs, command lines, hashes, lure paths, destination indicators, and related alert identifiers. If endpoint response is unavailable, hand off preserved evidence to contain the endpoint or block remote infrastructure.
105- Before deleting artifacts, scope other users and hosts for the same ".url" filename pattern, WebDAV/UNC host, child hash, command line, decoy path, and payload path. Remove only lure files, dropped helpers, DLLs, decoys, archives, and payloads found during the investigation, then restore modified execution paths that supported the hijack chain.
106- After containment, apply the June 2025 Windows security updates for CVE-2025-33053 where missing, restrict untrusted Internet Shortcut content and remote-working-directory execution paths, retain process/file/network telemetry, and document variants such as helper names or WebDAV paths for detection engineering review.
107"""
108
109setup = """## Setup
110
111This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
112
113Setup instructions: https://ela.st/install-elastic-defend
114
115### Additional data sources
116
117This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
118
119- [Microsoft Defender XDR](https://ela.st/m365-defender)
120- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
121- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
122"""
123
124[rule.investigation_fields]
125field_names = [
126    "@timestamp",
127    "host.id",
128    "user.id",
129    "process.name",
130    "process.pid",
131    "process.entity_id",
132    "process.executable",
133    "process.command_line",
134    "process.Ext.session_info.logon_type",
135    "process.pe.original_file_name",
136    "process.code_signature.subject_name",
137    "process.code_signature.trusted",
138    "process.parent.executable",
139    "process.parent.command_line",
140    "process.hash.sha256",
141]
142
143[transform]
144
145[[transform.investigate]]
146label = "File events for the suspicious child process"
147description = ""
148providers = [
149  [
150    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
151    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
152    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
153  ],
154  [
155    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
156    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
157    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
158  ]
159]
160relativeFrom = "now-1h"
161relativeTo = "now"
162
163[[transform.investigate]]
164label = "Network events for the suspicious child process"
165description = ""
166providers = [
167  [
168    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
169    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
170    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
171  ],
172  [
173    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
174    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
175    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
176  ]
177]
178relativeFrom = "now-1h"
179relativeTo = "now"
180
181[[transform.investigate]]
182label = "Child process starts from the suspicious child process"
183description = ""
184providers = [
185  [
186    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
187    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
188    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
189    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
190  ],
191  [
192    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
193    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
194    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
195    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
196  ]
197]
198relativeFrom = "now-1h"
199relativeTo = "now"
200
201[[transform.investigate]]
202label = "Alerts associated with the user"
203description = ""
204providers = [
205  [
206    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
207    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
208  ]
209]
210relativeFrom = "now-48h/h"
211relativeTo = "now"
212
213[[transform.investigate]]
214label = "Alerts associated with the host"
215description = ""
216providers = [
217  [
218    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
219    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
220  ]
221]
222relativeFrom = "now-48h/h"
223relativeTo = "now"
224
225[[rule.threat]]
226framework = "MITRE ATT&CK"
227
228[[rule.threat.technique]]
229id = "T1566"
230name = "Phishing"
231reference = "https://attack.mitre.org/techniques/T1566/"
232
233[[rule.threat.technique.subtechnique]]
234id = "T1566.001"
235name = "Spearphishing Attachment"
236reference = "https://attack.mitre.org/techniques/T1566/001/"
237
238[[rule.threat.technique.subtechnique]]
239id = "T1566.002"
240name = "Spearphishing Link"
241reference = "https://attack.mitre.org/techniques/T1566/002/"
242
243[rule.threat.tactic]
244id = "TA0001"
245name = "Initial Access"
246reference = "https://attack.mitre.org/tactics/TA0001/"
247
248[[rule.threat]]
249framework = "MITRE ATT&CK"
250
251[[rule.threat.technique]]
252id = "T1036"
253name = "Masquerading"
254reference = "https://attack.mitre.org/techniques/T1036/"
255
256[[rule.threat.technique.subtechnique]]
257id = "T1036.005"
258name = "Match Legitimate Resource Name or Location"
259reference = "https://attack.mitre.org/techniques/T1036/005/"
260
261[[rule.threat.technique]]
262id = "T1218"
263name = "System Binary Proxy Execution"
264reference = "https://attack.mitre.org/techniques/T1218/"
265
266[rule.threat.tactic]
267id = "TA0005"
268name = "Defense Evasion"
269reference = "https://attack.mitre.org/tactics/TA0005/"
270
271[[rule.threat]]
272framework = "MITRE ATT&CK"
273
274[[rule.threat.technique]]
275id = "T1203"
276name = "Exploitation for Client Execution"
277reference = "https://attack.mitre.org/techniques/T1203/"
278
279[rule.threat.tactic]
280id = "TA0002"
281name = "Execution"
282reference = "https://attack.mitre.org/tactics/TA0002/"