Steal IE 7 credential

Hunt Hypothesis

The hypothesis is that an adversary is attempting to exfiltrate Internet Explorer 7 credentials, which may indicate a low-privilege credential theft tactic. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence mechanisms that could escalate to more severe threats.

YARA Rule

rule cred_ie7 {
    meta:
        author = "x0r"
        description = "Steal IE 7 credential"
	version = "0.1"
    strings:
        $f1 = "Crypt32.dll" nocase
        $c1 = "CryptUnprotectData"
        $s1 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" nocase
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Job to Export IE 7 Credentials for Compliance Purposes
  Description: A system administrator runs a scheduled job to export Internet Explorer 7 credentials as part of a compliance audit.
  Filter/Exclusion: Check for process.name = "ie4uinit.exe" and process.args contains "export" or user.rights contains "Administrators" and event.id = 1000 with a known compliance tool.

• Scenario: Admin Task to Reset IE 7 Password for a User
  Description: An administrator resets a user’s Internet Explorer 7 password using a script or built-in tool.
  Filter/Exclusion: Filter by process.name = "ie4uinit.exe" and process.args contains "reset" or user.rights contains "Administrators" and event.id = 1000 with a known admin task name.

• Scenario: Use of IE 7 for Legacy Application Access
  Description: A user accesses a legacy application via Internet Explorer 7, which requires storing credentials in the browser.
  Filter/Exclusion: Filter by process.name = "iexplore.exe" and process.args contains "/noconfig" or user.agent contains "IE 7" and event.id = 1000 with a known legacy app identifier.

• Scenario: IE 7 Credential Export via PowerShell Script for Backup
  Description: A PowerShell script is used to export Internet Explorer 7 credentials as part of a backup process.
  Filter/Exclusion: Filter by process.name = "powershell.exe" and command_line contains "Export-IECredential" or user.rights contains "Administrators" and event.id = 1000 with a known backup script name.

• **Scenario: IE 7 Credential Import for Testing