Ie4uinit Lolbin Use From Invalid Path
Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
Sigma rule (View on GitHub)
1title: Ie4uinit Lolbin Use From Invalid Path
2id: d3bf399f-b0cf-4250-8bb4-dfc192ab81dc
3status: test
4description: Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
7 - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
8author: frack113
9date: 2022/05/07
10modified: 2022/05/16
11tags:
12 - attack.defense_evasion
13 - attack.t1218
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 lolbin:
19 - Image|endswith: '\ie4uinit.exe'
20 - OriginalFileName: 'IE4UINIT.EXE'
21 filter_correct:
22 CurrentDirectory:
23 - 'c:\windows\system32\'
24 - 'c:\windows\sysWOW64\'
25 filter_missing:
26 CurrentDirectory: null
27 condition: lolbin and not 1 of filter_*
28falsepositives:
29 - ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache"
30level: medium
References
-
Executes commands from a specially prepared ie4uinit.inf file. ie4uinit.exe -BaseSettings Use caseGet code execution by copy files to another location Privileges requiredUser Operating systemsWindo...
Read More -
Introduction Two weeks ago, I blogged about several “pass-thru” techniques that leveraged the use of INF files (‘.inf’) to “fetch and execute” remote script comp…
Read More
Related rules
- Created Files by Microsoft Sync Center
- DeviceCredentialDeployment Execution
- Execute MSDT Via Answer File
- Execute Pcwrun.EXE To Leverage Follina
- Legitimate Application Dropped Archive