Ie4uinit Lolbin Use From Invalid Path
Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
Sigma rule (View on GitHub)
1title: Ie4uinit Lolbin Use From Invalid Path
2id: d3bf399f-b0cf-4250-8bb4-dfc192ab81dc
3status: test
4description: Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
7 - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
8author: frack113
9date: 2022-05-07
10modified: 2022-05-16
11tags:
12 - attack.defense-evasion
13 - attack.t1218
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 lolbin:
19 - Image|endswith: '\ie4uinit.exe'
20 - OriginalFileName: 'IE4UINIT.EXE'
21 filter_correct:
22 CurrentDirectory:
23 - 'c:\windows\system32\'
24 - 'c:\windows\sysWOW64\'
25 filter_missing:
26 CurrentDirectory: null
27 condition: lolbin and not 1 of filter_*
28falsepositives:
29 - ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache"
30level: medium
References
-
Ie4uinit.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Introduction Two weeks ago, I blogged about several “pass-thru” techniques that leveraged the use of INF files (‘.inf’) to “fetch and execute” remote script comp…
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE