heroui logo

DCOM InternetExplorer.Application Iertutil DLL Hijack - Security

Sigma Rules

View Source
Summary
This detection rule identifies the creation of a potentially malicious file named `iertutil.dll` within the `C:\Program Files\Internet Explorer\` directory in a Windows environment. Such activity is indicative of a Distributed Component Object Model (DCOM) Internet Explorer DLL Hijack, which can be utilized by threat actors to execute arbitrary code and maintain persistence. The detection relies on Windows Security Event ID 5145, which logs unauthorized access to file systems. Specifically, the rule triggers when the aforementioned file is accessed or created in the specified directory, particularly in scenarios where the operation is seemingly initiated by a service account (as indicated by a username that ends with '$'). This type of detection is critical in identifying lateral movement within networks, as attackers often seek to exploit legitimate processes to evade detection. The rule is flagged with a high severity level due to the potential impact of such actions and is designed to minimize false positives by filtering out service accounts that typically perform these tasks without malicious intent.
Categories
  • Windows
  • Network
Data Sources
  • File
  • Logon Session
  • Process
  • Windows Registry
Created: 2020-10-12