The iexpl0re family is associated with low-severity reconnaissance activities that may indicate initial foothold attempts by adversaries. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage threats and prevent further lateral movement.
YARA Rule
rule iexpl0re : Family
{
meta:
description = "iexpl0re family"
author = "Seth Hardy"
last_modified = "2014-07-21"
condition:
iexpl0reCode or iexpl0reStrings
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate scheduled task running Internet Explorer for automated reporting
Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.name != "iexplore.exe"
Scenario: Admin using Internet Explorer to access internal SharePoint site
Filter/Exclusion: process.parent_process_name != "explorer.exe" or process.command_line contains "sharepoint"
Scenario: System update using Microsoft Edge to download and install patches
Filter/Exclusion: process.name != "msedge.exe" or process.command_line contains "update"
Scenario: User running a legacy application that requires Internet Explorer in compatibility mode
Filter/Exclusion: process.name != "iexplore.exe" or process.command_line contains "appcmd"
Scenario: IT staff using Internet Explorer to perform browser compatibility testing
Filter/Exclusion: process.parent_process_name != "cmd.exe" or process.command_line contains "compatibility testing"