CVE-2010-0806

CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Exploitation

Initial Access Execution Last updated:

Detects exploitation of CVE-2010-0806, a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability allows remote attackers to execute arbitrary code via a crafted web page. It is listed in CISA's Known Exploited Vulnerabilities catalog and has been actively exploited in the wild.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Microsoft
Product
Internet Explorer

Weakness (CWE)

CWE-399

Timeline

Disclosed
May 20, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2010-0806 CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Exploitation?

CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Exploitation (CVE-2010-0806) maps to the Initial Access and Execution tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Exploitation, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceProcessEvents, DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution
Microsoft Sentinel / Defender
kusto 
let suspiciousIEProcesses = DeviceProcessEvents
| where FileName =~ "iexplore.exe"
| where InitiatingProcessFileName !in~ ("explorer.exe", "iexplore.exe", "userinit.exe")
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName;
let ieSuspiciousChildren = DeviceProcessEvents
| where InitiatingProcessFileName =~ "iexplore.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "svchost.exe")
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, AccountName;
let ieNetworkAfterSpawn = DeviceNetworkEvents
| where InitiatingProcessFileName =~ "iexplore.exe"
| where RemotePort in (80, 443, 8080, 4444, 1337)
| project DeviceId, DeviceName, Timestamp, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine;
ieSuspiciousChildren
| union suspiciousIEProcesses
| union ieNetworkAfterSpawn
| summarize count() by DeviceId, DeviceName, FileName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where count_ > 0
| order by count_ desc

Detects suspicious Internet Explorer process behavior indicative of CVE-2010-0806 exploitation, including abnormal child process spawning and unusual network connections following IE execution.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents DeviceNetworkEvents

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

  • Legitimate IE automation tools or testing frameworks spawning child processes
  • Enterprise software using IE as an embedded browser component
  • Scripted deployments or administrative tools that invoke iexplore.exe programmatically
  • Browser Helper Objects or extensions that spawn legitimate helper processes

Sigma rule & cross-platform mapping

The detection logic for CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Exploitation (CVE-2010-0806) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2010-0806 Sigma rules on detection.fyi

Platform-specific guides for CVE-2010-0806

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate IE Spawning CMD via Scripted Process Launch

    Expected signal: ProcessCreate event with ParentImage=iexplore.exe and Image=cmd.exe visible in Sysmon Event ID 1 and Windows Security Event ID 4688

  2. Test 2Internet Explorer Spawning PowerShell for Encoded Command Execution

    Expected signal: Sysmon Event ID 1: powershell.exe with encoded command and parent iexplore.exe; Network telemetry showing iexplore.exe with an active TCP session at time of child spawn

  3. Test 3Heap Spray Pattern Simulation via IE Memory Allocation Script

    Expected signal: High memory allocation events in iexplore.exe process; potential script engine events logged if Script Block Logging is enabled; browser process memory consumption spike visible in performance telemetry

Unlock Pro Content

Get the full detection package for CVE-2010-0806 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1203Exploitation for Client ExecutionT1189Drive-by CompromiseT1055Process Injection

Same Tactic: Initial Access

Popular Detections