CVE-2010-0806 Splunk · SPL

Detect CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Exploitation in Splunk

Detects exploitation of CVE-2010-0806, a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability allows remote attackers to execute arbitrary code via a crafted web page. It is listed in CISA's Known Exploited Vulnerabilities catalog and has been actively exploited in the wild.

MITRE ATT&CK

Tactic
Initial Access Execution

SPL Detection Query

Splunk (SPL)
spl 
index=endpoint sourcetype=xmlwineventlog OR sourcetype=wineventlog EventCode=4688
| eval parent=lower(ParentProcessName), child=lower(NewProcessName)
| where parent="*iexplore.exe*"
| where child IN ("*cmd.exe*", "*powershell.exe*", "*wscript.exe*", "*cscript.exe*", "*mshta.exe*", "*regsvr32.exe*", "*rundll32.exe*")
| eval risk_score=case(
    child="*powershell.exe*", 90,
    child="*cmd.exe*", 80,
    child="*mshta.exe*", 85,
    true(), 70)
| stats count min(_time) as first_seen max(_time) as last_seen values(child) as child_processes values(CommandLine) as commandlines by ComputerName, parent, AccountName, risk_score
| where count > 0
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| table ComputerName, AccountName, parent, child_processes, commandlines, count, risk_score, first_seen, last_seen
| sort - risk_score
critical severity medium confidence

Detects Internet Explorer spawning suspicious child processes that are characteristic of CVE-2010-0806 use-after-free exploitation resulting in code execution.

Data Sources

Windows Security Event LogSysmonEDR endpoint telemetry

Required Sourcetypes

xmlwineventlogwineventlogsysmon

False Positives & Tuning

  • Legitimate enterprise applications that use IE as a rendering engine and invoke scripts
  • IT automation and RPA tools using IE COM objects
  • Security testing or red team exercises in authorized environments
  • Legacy enterprise portals that open cmd.exe for local application launch via IE

Other platforms for CVE-2010-0806

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate IE Spawning CMD via Scripted Process Launch

    Expected signal: ProcessCreate event with ParentImage=iexplore.exe and Image=cmd.exe visible in Sysmon Event ID 1 and Windows Security Event ID 4688

  2. Test 2Internet Explorer Spawning PowerShell for Encoded Command Execution

    Expected signal: Sysmon Event ID 1: powershell.exe with encoded command and parent iexplore.exe; Network telemetry showing iexplore.exe with an active TCP session at time of child spawn

  3. Test 3Heap Spray Pattern Simulation via IE Memory Allocation Script

    Expected signal: High memory allocation events in iexplore.exe process; potential script engine events logged if Script Block Logging is enabled; browser process memory consumption spike visible in performance telemetry

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2010-0806 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1203Exploitation for Client ExecutionT1189Drive-by CompromiseT1055Process Injection

Same Tactic: Initial Access

Popular Detections