Detect exploitation of the Internet Explorer remote code execution vulnerability, CVE-2018-8653

# Detect exploitation of the Internet Explorer remote code execution vulnerability, CVE-2018-8653

This query was originally published in the threat analytics report, *CVE-2018-8653 scripting engine vulnerability*.

[CVE-2018-8653](https://nvd.nist.gov/vuln/detail/CVE-2018-8653) is a remote code execution vulnerability found in the scripting engine for several releases of Internet Explorer. An attacker exploiting this CVE could use a malicious webpage to gain the same access rights as the currently logged-in user -- which is particularly problematic if the user is an administrator.

Microsoft has since [addressed](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653) this vulnerability.

The following queries detect possible exploitation of this CVE.

## Query

```Kusto
DeviceProcessEvents 
| where Timestamp > ago(7d)
and InitiatingProcessFileName =~ "svchost.exe"
and InitiatingProcessCommandLine contains "WinHttpAutoProxySvc"
and FileName !~ "pacjsworker.exe"
and FileName !~ "svchost.exe"
and FileName !~ "WerFault.exe"
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access | v |  |
| Execution | v |  |
| Persistence |  |  |
| Privilege escalation |  |  |
| Defense evasion |  |  |
| Credential Access |  |  |
| Discovery |  |  |
| Lateral movement |  |  |
| Collection |  |  |
| Command and control |  |  |
| Exfiltration |  |  |
| Impact |  |  |
| Vulnerability |  |  |
| Misconfiguration |  |  |
| Malware, component |  |  |

## Contributor info

**Contributor:** Microsoft Threat Protection team