The hypothesis is that an adversary is leveraging a DCOM interface to execute a malicious DLL through InternetExplorer.Application, exploiting a DLL hijack vulnerability to gain unauthorized code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and persistence mechanisms used by advanced threats.
Detection Rule
title: Potential DCOM InternetExplorer.Application DLL Hijack
id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
related:
- id: e554f142-5cf3-4e55-ace9-a1b59e0def65
type: obsolete
- id: f354eba5-623b-450f-b073-0b5b2773b6aa
type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
category: file_event
detection:
selection:
Image: System
TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
condition: selection
falsepositives:
- Unknown
level: critical
imFileEvent
| where TargetFilePath =~ "System" and TargetFileName endswith "\\Internet Explorer\\iertutil.dll"Scenario: Scheduled Job Using InternetExplorer.Application for Automation
Description: A legitimate scheduled job uses InternetExplorer.Application to automate browser-based tasks (e.g., web scraping or form submission).
Filter/Exclusion: Check for CommandLine containing -silent or -automation flags, or filter by process name schtasks.exe or TaskScheduler.
Scenario: Admin Task Using DCOM for Remote Execution
Description: An administrator uses DCOM to remotely execute tasks via InternetExplorer.Application for maintenance or configuration purposes.
Filter/Exclusion: Filter by user account (e.g., Administrator or Domain Admins), or check for ProcessCreation with COM+ or DCOM in the command line.
Scenario: Legitimate Tool Using DCOM for COM Object Interaction
Description: A tool like PowerShell or VBScript interacts with COM objects using InternetExplorer.Application for legitimate scripting or integration.
Filter/Exclusion: Filter by ProcessName such as powershell.exe or wscript.exe, or check for known legitimate COM object usage in the CommandLine.
Scenario: System Update or Patching Tool Using InternetExplorer.Application
Description: A patching tool (e.g., Microsoft Baseline Security Analyzer, Windows Update) uses InternetExplorer.Application to load scripts or interact with web-based update interfaces.
Filter/Exclusion: Filter by ProcessName such as msbas.exe or wuauclt.exe, or check for CommandLine containing update or patch.
Scenario: Custom Application Using DCOM for Legacy Integration
Description: A custom enterprise application uses DCOM and InternetExplorer.Application to integrate with legacy systems or internal web services.
*