Disabled IE Security Features

Hunt Hypothesis

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

Detection Rule

Sigma (Original)

title: Disabled IE Security Features
id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
status: test
description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
references:
    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
author: Florian Roth (Nextron Systems)
date: 2020-06-19
modified: 2021-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains|all:
            - ' -name IEHarden '
            - ' -value 0 '
    selection2:
        CommandLine|contains|all:
            - ' -name DEPOff '
            - ' -value 1 '
    selection3:
        CommandLine|contains|all:
            - ' -name DisableFirstRunCustomize '
            - ' -value 2 '
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains " -name IEHarden " and TargetProcessCommandLine contains " -value 0 ") or (TargetProcessCommandLine contains " -name DEPOff " and TargetProcessCommandLine contains " -value 1 ") or (TargetProcessCommandLine contains " -name DisableFirstRunCustomize " and TargetProcessCommandLine contains " -value 2 ")

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Technique: T1685 — T1685

References

• https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
• SigmaHQ Rule