sigmahighHunting

Disabled IE Security Features

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

MITRE ATT&CK

T1562.001

defense-evasion

Detection Query

selection1:
  CommandLine|contains|all:
    - " -name IEHarden "
    - " -value 0 "
selection2:
  CommandLine|contains|all:
    - " -name DEPOff "
    - " -value 1 "
selection3:
  CommandLine|contains|all:
    - " -name DisableFirstRunCustomize "
    - " -value 2 "
condition: 1 of selection*

Author

Florian Roth (Nextron Systems)

Created

2020-06-19

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/

Tags

attack.defense-evasionattack.t1562.001

Raw Content

title: Disabled IE Security Features
id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
status: test
description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
references:
    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
author: Florian Roth (Nextron Systems)
date: 2020-06-19
modified: 2021-11-27
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains|all:
            - ' -name IEHarden '
            - ' -value 0 '
    selection2:
        CommandLine|contains|all:
            - ' -name DEPOff '
            - ' -value 1 '
    selection3:
        CommandLine|contains|all:
            - ' -name DisableFirstRunCustomize '
            - ' -value 2 '
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high