← Library
sigmaDRL-1.1from SigmaHQ/sigma

Ie4uinit Lolbin Use From Invalid Path

Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories

Quality
82
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218
Rule sourcerules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml
title: Ie4uinit Lolbin Use From Invalid Path
id: d3bf399f-b0cf-4250-8bb4-dfc192ab81dc
status: test
description: Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
    - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
author: frack113
date: 2022-05-07
modified: 2022-05-16
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    product: windows
    category: process_creation
detection:
    lolbin:
        - Image|endswith: '\ie4uinit.exe'
        - OriginalFileName: 'IE4UINIT.EXE'
    filter_correct:
        CurrentDirectory:
            - 'c:\windows\system32\'
            - 'c:\windows\sysWOW64\'
    filter_missing:
        CurrentDirectory: null
    condition: lolbin and not 1 of filter_*
falsepositives:
    - ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache"
level: medium