Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/.
Attacker's Goals
- When an add-on is running inside Protected Mode attempts to launch a broker process, this key is checked to determine how the process should be launched.
- Attackers may change this value to make the process launch with higher privileges.
Investigative actions
- Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Variations
Tampering with Internet Explorer Protected Mode default configurationTampering with Internet Explorer Protected Mode specific app configuration