Detect CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Exploitation in Microsoft Sentinel
Detects exploitation of CVE-2010-0806, a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability allows remote attackers to execute arbitrary code via a crafted web page. It is listed in CISA's Known Exploited Vulnerabilities catalog and has been actively exploited in the wild.
MITRE ATT&CK
- Tactic
- Initial Access Execution
KQL Detection Query
let suspiciousIEProcesses = DeviceProcessEvents
| where FileName =~ "iexplore.exe"
| where InitiatingProcessFileName !in~ ("explorer.exe", "iexplore.exe", "userinit.exe")
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName;
let ieSuspiciousChildren = DeviceProcessEvents
| where InitiatingProcessFileName =~ "iexplore.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "svchost.exe")
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, AccountName;
let ieNetworkAfterSpawn = DeviceNetworkEvents
| where InitiatingProcessFileName =~ "iexplore.exe"
| where RemotePort in (80, 443, 8080, 4444, 1337)
| project DeviceId, DeviceName, Timestamp, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine;
ieSuspiciousChildren
| union suspiciousIEProcesses
| union ieNetworkAfterSpawn
| summarize count() by DeviceId, DeviceName, FileName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where count_ > 0
| order by count_ descDetects suspicious Internet Explorer process behavior indicative of CVE-2010-0806 exploitation, including abnormal child process spawning and unusual network connections following IE execution.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IE automation tools or testing frameworks spawning child processes
- Enterprise software using IE as an embedded browser component
- Scripted deployments or administrative tools that invoke iexplore.exe programmatically
- Browser Helper Objects or extensions that spawn legitimate helper processes
Other platforms for CVE-2010-0806
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate IE Spawning CMD via Scripted Process Launch
Expected signal: ProcessCreate event with ParentImage=iexplore.exe and Image=cmd.exe visible in Sysmon Event ID 1 and Windows Security Event ID 4688
- Test 2Internet Explorer Spawning PowerShell for Encoded Command Execution
Expected signal: Sysmon Event ID 1: powershell.exe with encoded command and parent iexplore.exe; Network telemetry showing iexplore.exe with an active TCP session at time of child spawn
- Test 3Heap Spray Pattern Simulation via IE Memory Allocation Script
Expected signal: High memory allocation events in iexplore.exe process; potential script engine events logged if Script Block Logging is enabled; browser process memory consumption spike visible in performance telemetry
Unlock Pro Content
Get the full detection package for CVE-2010-0806 including response playbook, investigation guide, and atomic red team tests.