Detect Microsoft Internet Explorer Use-After-Free Vulnerability (CVE-2010-0249) in Microsoft Sentinel
CVE-2010-0249 is a use-after-free vulnerability (CWE-416) in Microsoft Internet Explorer that allows remote attackers to execute arbitrary code via a specially crafted web page. This vulnerability was actively exploited in the wild (Operation Aurora) and is listed in CISA's Known Exploited Vulnerabilities catalog. Exploitation typically involves a malicious HTML/JavaScript page that triggers memory corruption through manipulated DOM objects, enabling arbitrary code execution in the context of the logged-on user.
MITRE ATT&CK
KQL Detection Query
let suspiciousIEProcesses = DeviceProcessEvents
| where FileName =~ "iexplore.exe"
| where InitiatingProcessFileName !in~ ("iexplore.exe", "explorer.exe", "svchost.exe")
| project DeviceId, DeviceName, AccountName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, Timestamp;
let iexploreChildSpawn = DeviceProcessEvents
| where InitiatingProcessFileName =~ "iexplore.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "svchost.exe")
| project DeviceId, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessId, InitiatingProcessCommandLine, Timestamp;
let iexploreNetworkToSuspicious = DeviceNetworkEvents
| where InitiatingProcessFileName =~ "iexplore.exe"
| where RemotePort !in (80, 443, 8080, 8443)
| project DeviceId, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine, Timestamp;
union iexploreChildSpawn, iexploreNetworkToSuspicious
| sort by Timestamp descDetects suspicious Internet Explorer process behavior consistent with CVE-2010-0249 exploitation: child process spawning from iexplore.exe and anomalous outbound network connections from the browser process.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate browser helper objects or extensions that spawn child processes
- Enterprise proxy or DLP tools that intercept IE network traffic on non-standard ports
- Automated testing frameworks that drive Internet Explorer via COM automation
- IT management tools that launch iexplore.exe programmatically for intranet portals
Other platforms for CVE-2010-0249
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate IE Use-After-Free Child Process Spawn
Expected signal: Sysmon Event ID 1 showing cmd.exe with ParentImage pointing to iexplore.exe; file creation event for cve_2010_0249_test.txt in %TEMP%
- Test 2IE Spawning PowerShell Downloader (Post-Exploit Simulation)
Expected signal: Sysmon Event ID 1 with ParentImage iexplore.exe and Image powershell.exe; command line containing -NonInteractive visible in process telemetry
- Test 3Anomalous IE Network Beacon on Non-Standard Port
Expected signal: Sysmon Event ID 3 network connection event with InitiatingProcessFileName iexplore.exe and DestinationPort 4444; connection attempt logged even on failure
Unlock Pro Content
Get the full detection package for CVE-2010-0249 including response playbook, investigation guide, and atomic red team tests.