heroui logo

Ie4uinit Lolbin Use From Invalid Path

Sigma Rules

View Source
Summary
The detection rule titled 'Ie4uinit Lolbin Use From Invalid Path' aims to identify the use of the ie4uinit.exe binary when executed from unexpected directories. This binary is generally used in Windows environments for initializing an Internet Explorer configuration, but it can also be leveraged by attackers to execute malicious commands through a specially crafted ie4uinit.inf file. The rule focuses on instances where ie4uinit.exe is launched from any directory other than its legitimate paths, primarily \windows\system32\ or \windows\sysWOW64\. The logic checks for the presence of the ie4uinit.exe image and its associated file name while filtering out executions from its normal directories. The rule also takes into account potential false positives, specifically mentioning a benign case involving a ViberPC updater that uses ie4uinit.exe legitimately. Overall, this rule helps detect potential misuse of a legitimate binary in an attempt to bypass security measures. It focuses on the defense evasion technique where attackers exploit trusted binaries to execute their payloads covertly.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • File
Created: 2022-05-07