Internet Explorer DisableFirstRunCustomize Enabled

Hunt Hypothesis

Detects changes to the Internet Explorer “DisableFirstRunCustomize” value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing

Detection Rule

Sigma (Original)

title: Internet Explorer DisableFirstRunCustomize Enabled
id: ab567429-1dfb-4674-b6d2-979fd2f9d125
status: test
description: |
    Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
    - https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2025-10-07
tags:
    - attack.defense-impairment
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize'
        Details:
            - 'DWORD (0x00000001)' # Home Page
            - 'DWORD (0x00000002)' # Welcome To IE
    filter_main_generic:
        Image:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\ie4uinit.exe'
    filter_optional_avira:
        Image|contains|all:
            - '\Temp\'
            - '\.cr\avira_'
        Details|contains: 'DWORD (0x00000001)'
    filter_optional_foxit:
        Image:
            - 'C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
            - 'C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
        Details|contains: 'DWORD (0x00000001)'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - As this is controlled by group policy as well as user settings. Some false positives may occur.
level: medium

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey endswith "\\Microsoft\\Internet Explorer\\Main\\DisableFirstRunCustomize" and (RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)"))) and (not((ActingProcessName in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\ie4uinit.exe")))) and (not((((ActingProcessName contains "\\Temp\\" and ActingProcessName contains "\\.cr\\avira_") and RegistryValueData contains "DWORD (0x00000001)") or ((ActingProcessName in~ ("C:\\Program Files (x86)\\Foxit Software\\Foxit PDF Reader\\FoxitPDFReader.exe", "C:\\Program Files\\Foxit Software\\Foxit PDF Reader\\FoxitPDFReader.exe")) and RegistryValueData contains "DWORD (0x00000001)"))))

Required Data Sources

False Positive Guidance

• As this is controlled by group policy as well as user settings. Some false positives may occur.

References

• https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
• https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
• https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
• SigmaHQ Rule