A malicious actor may be leveraging a DCOM interface to hijack the InternetExplorer.Application process and load a malicious DLL, exploiting the trust in the legitimate application. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL hijack attacks that could lead to code execution and lateral movement.
Detection Rule
title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
id: f354eba5-623b-450f-b073-0b5b2773b6aa
related:
- id: e554f142-5cf3-4e55-ace9-a1b59e0def65
type: obsolete
- id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\Internet Explorer\iexplore.exe'
ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
condition: selection
falsepositives:
- Unknown
level: critical
DeviceImageLoadEvents
| where InitiatingProcessFolderPath endswith "\\Internet Explorer\\iexplore.exe" and FolderPath endswith "\\Internet Explorer\\iertutil.dll"Scenario: Legitimate Use of InternetExplorer.Application for Scripting
Description: A system administrator or developer is using Internet Explorer for scripting or automation tasks, such as running legacy scripts or COM objects.
Filter/Exclusion: Check for the presence of InternetExplorer.Application in the process name and filter out processes associated with known scripting tools like PowerShell, VBScript, or WSH (Windows Script Host).
Scenario: Scheduled Job Loading DLLs for Maintenance Tasks
Description: A scheduled job or maintenance task is loading DLLs via DCOM for system updates, patching, or configuration changes.
Filter/Exclusion: Exclude processes launched by Task Scheduler or schtasks.exe, and filter out DLLs that are part of known system maintenance tools like Windows Update, Group Policy, or SCOM (System Center Operations Manager).
Scenario: Admin Tool Using DCOM for Remote Management
Description: An administrator is using a remote management tool (e.g., Microsoft Remote Desktop, Remote Server Administration Tools (RSAT)) that leverages DCOM and loads InternetExplorer.Application for UI rendering.
Filter/Exclusion: Filter out processes initiated by mstsc.exe, rsat.exe, or mstsc.exe and check for known admin tools that use DCOM for remote management.
Scenario: Antivirus or Security Software Loading DLLs for Scanning
Description: A security tool (e.g., Windows Defender, Malwarebytes, Kaspersky) is using DCOM to load DLLs as part of its scanning or threat detection process.
Filter/Exclusion: Exclude processes from known security vendors by checking the process name or parent process, and filter out DLLs that are part of security software components.
**Scenario: Custom COM