Tampering with Internet Explorer Protected Mode configuration

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify Tools (T1562.001)

Severity

Informational

Description

When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/.

Attacker's Goals

  • When an add-on is running inside Protected Mode attempts to launch a broker process, this key is checked to determine how the process should be launched.
  • Attackers may change this value to make the process launch with higher privileges.

Investigative actions

  • Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.

Variations

Tampering with Internet Explorer Protected Mode default configuration

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify Tools (T1562.001)

Severity

Medium

Description

When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/.

Attacker's Goals

  • When an add-on is running inside Protected Mode attempts to launch a broker process, this key is checked to determine how the process should be launched.
  • Attackers may change this value to make the process launch with higher privileges.

Investigative actions

  • Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.


Tampering with Internet Explorer Protected Mode specific app configuration

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify Tools (T1562.001)

Severity

Informational

Description

When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/.

Attacker's Goals

  • When an add-on is running inside Protected Mode attempts to launch a broker process, this key is checked to determine how the process should be launched.
  • Attackers may change this value to make the process launch with higher privileges.

Investigative actions

  • Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.