Windows Disable Internet Explorer Addons
The following analytic detects the execution of iexplore.exe (Internet Explorer) with the -extoff command-line flag, which disables all browser extensions. This flag is commonly abused by adversaries to launch a clean browser session that bypasses security controls such as antivirus browser extensions, toolbars, or group policy-enforced add-ons. Malicious documents or scripts may leverage iexplore.exe -extoff to open phishing pages, command-and-control interfaces, or download additional payloads in an environment free from security monitoring plugins. While this flag may be used legitimately by IT administrators for troubleshooting purposes, its use in modern enterprise environments is rare and should be considered suspicious—particularly when launched by Office applications, scripting engines (e.g., PowerShell, WScript), or scheduled tasks.
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where
(Processes.process_name = "iexplore.exe" OR Processes.original_file_name="IEXPLORE.EXE")
Processes.process = "*-extoff*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_disable_internet_explorer_addons_filter`