Nasreddine Bencherchali
31 lines
1.1 KiB
YAML
31 lines
1.1 KiB
YAML
title: Ie4uinit Lolbin Use From Invalid Path
|
|
id: d3bf399f-b0cf-4250-8bb4-dfc192ab81dc
|
|
status: experimental
|
|
description: Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
|
|
references:
|
|
- https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
|
|
- https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
|
author: frack113
|
|
date: 2022/05/07
|
|
modified: 2022/05/16
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1218
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
lolbin:
|
|
- Image|endswith: '\ie4uinit.exe'
|
|
- OriginalFileName: 'IE4UINIT.EXE'
|
|
filter_correct:
|
|
CurrentDirectory:
|
|
- 'c:\windows\system32\'
|
|
- 'c:\windows\sysWOW64\'
|
|
filter_missing:
|
|
CurrentDirectory: null
|
|
condition: lolbin and not 1 of filter_*
|
|
falsepositives:
|
|
- ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache"
|
|
level: medium
|