logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Bit9 Threat Advisory - Diskless Internet Explorer Zero Day

Bit9 Threat Advisory - Diskless Internet Explorer Zero Day

Version
All


Topic

This document outlines information and mitigation for a recent Internet Explorer Zero Day attack that was released. There is at least one way to report or prevent this specific behaviour using the Bit9 Security Platform.


Threat Description

This attack involves running a known-good system executable and injecting malicious code into that executable, thereby evading file-based controls.  In this case it involves attacker code running in Internet Explorer launching an instance of rundll32.exe and injecting code into that process.  This technique is generally referred to as Reflective DLL Injection (RDI).


Steps

Please see the Important Notes section for some details on this rule.
1. Login to the Bit9 Console
2. Navigate to Rules -> Software Rules -> Memory Rules
3. Click "Add Memory Rule"
4. Fill in the following information:

Action:    Report
Permissions: Write Access
Target Process:    *\rundll32.exe
Source Process:    *\iexplore.exe
User: Any User
Policy: All policies

5. Hit Save


Important Note(s)

One thing to keep in mind is that mitigations such as the one listed above have greater value when they are kept hidden from attackers. One way to reduce the likelihood that attackers discover this mitigation is to use a report-only rule (which is what we recommended here). As designed, this rule will only report when malicious code is running in Internet Explorer and trying to write/modify rundll.exe.

You can change the Action of this rule to "Block" in order to turn this into a prevention rule, but it is highly recommended that you use this rule in Report mode for a period of time to mitigate the possibility of unintended consequences. In addition, placing this rule into prevention mode may provide information to attackers about how to adjust attack attempts that are unsuccessful in order to bypass the controls.

In addition, memory rules are not supported on Windows Server 2003 64-bit due to a limitation in that OS version.

If you have any concerns or questions, please contact Bit9 Support

Internal Notes

https://community.bit9.com/docs/DOC-3717

Was this article helpful? Yes No
No ratings
Article Information
Author:
jnaiga
Creation Date:
‎12-23-2015
Views:
1202
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.