CVE-2010-0249 Splunk · SPL

Detect Microsoft Internet Explorer Use-After-Free Vulnerability (CVE-2010-0249) in Splunk

CVE-2010-0249 is a use-after-free vulnerability (CWE-416) in Microsoft Internet Explorer that allows remote attackers to execute arbitrary code via a specially crafted web page. This vulnerability was actively exploited in the wild (Operation Aurora) and is listed in CISA's Known Exploited Vulnerabilities catalog. Exploitation typically involves a malicious HTML/JavaScript page that triggers memory corruption through manipulated DOM objects, enabling arbitrary code execution in the context of the logged-on user.

MITRE ATT&CK

Tactic
Initial Access Execution Defense Evasion

SPL Detection Query

Splunk (SPL)
spl 
index=windows (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval EventCode=coalesce(EventCode, event_id)
| where EventCode IN ("1", "3", "7")
| eval ParentImage=lower(coalesce(ParentImage, parent_image, ""))
| eval Image=lower(coalesce(Image, image, ""))
| where ParentImage LIKE "%iexplore.exe"
  AND (Image LIKE "%cmd.exe" OR Image LIKE "%powershell.exe" OR Image LIKE "%wscript.exe" OR Image LIKE "%cscript.exe" OR Image LIKE "%mshta.exe" OR Image LIKE "%regsvr32.exe" OR Image LIKE "%rundll32.exe")
| eval host=coalesce(host, ComputerName)
| stats count min(_time) as firstSeen max(_time) as lastSeen values(Image) as childProcesses values(CommandLine) as commandLines by host, ParentImage, User
| where count > 0
| sort -count
critical severity medium confidence

Detects Internet Explorer spawning suspicious child processes via Sysmon process creation events, indicative of CVE-2010-0249 exploitation leading to code execution.

Data Sources

SysmonWindows Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Browser automation or Selenium-based tools controlling IE via COM
  • Enterprise software that uses iexplore.exe as a rendering component and spawns helper processes
  • Legitimate IT scripts that open iexplore.exe and subsequently launch cmd.exe for logging
  • Security scanners that exercise IE rendering engine

Other platforms for CVE-2010-0249

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate IE Use-After-Free Child Process Spawn

    Expected signal: Sysmon Event ID 1 showing cmd.exe with ParentImage pointing to iexplore.exe; file creation event for cve_2010_0249_test.txt in %TEMP%

  2. Test 2IE Spawning PowerShell Downloader (Post-Exploit Simulation)

    Expected signal: Sysmon Event ID 1 with ParentImage iexplore.exe and Image powershell.exe; command line containing -NonInteractive visible in process telemetry

  3. Test 3Anomalous IE Network Beacon on Non-Standard Port

    Expected signal: Sysmon Event ID 3 network connection event with InitiatingProcessFileName iexplore.exe and DestinationPort 4444; connection attempt logged even on failure

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2010-0249 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0005Defense Evasion

Related Techniques

T1203Exploitation for Client ExecutionT1189Drive-by CompromiseT1055Process Injection

Same Tactic: Initial Access

Popular Detections