← Back to Explore
sigmamediumHunting
Ie4uinit Lolbin Use From Invalid Path
Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
Detection Query
lolbin:
- Image|endswith: \ie4uinit.exe
- OriginalFileName: IE4UINIT.EXE
filter_correct:
CurrentDirectory:
- c:\windows\system32\
- c:\windows\sysWOW64\
filter_missing:
CurrentDirectory: null
condition: lolbin and not 1 of filter_*
Author
frack113
Created
2022-05-07
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Ie4uinit Lolbin Use From Invalid Path
id: d3bf399f-b0cf-4250-8bb4-dfc192ab81dc
status: test
description: Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
- https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
author: frack113
date: 2022-05-07
modified: 2022-05-16
tags:
- attack.defense-evasion
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
lolbin:
- Image|endswith: '\ie4uinit.exe'
- OriginalFileName: 'IE4UINIT.EXE'
filter_correct:
CurrentDirectory:
- 'c:\windows\system32\'
- 'c:\windows\sysWOW64\'
filter_missing:
CurrentDirectory: null
condition: lolbin and not 1 of filter_*
falsepositives:
- ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache"
level: medium