Incoming DCOM Lateral Movement via MSHTA

  1[metadata]
  2creation_date = "2020/11/03"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are
 13launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move
 14laterally while attempting to evade detection.
 15"""
 16from = "now-9m"
 17index = [
 18    "winlogbeat-*",
 19    "logs-endpoint.events.process-*",
 20    "logs-endpoint.events.network-*",
 21    "logs-windows.sysmon_operational-*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Incoming DCOM Lateral Movement via MSHTA"
 26references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"]
 27risk_score = 73
 28rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520"
 29severity = "high"
 30tags = [
 31    "Domain: Endpoint",
 32    "OS: Windows",
 33    "Use Case: Threat Detection",
 34    "Tactic: Lateral Movement",
 35    "Data Source: Elastic Defend",
 36    "Data Source: Sysmon",
 37    "Resources: Investigation Guide",
 38]
 39type = "eql"
 40
 41query = '''
 42sequence with maxspan=1m
 43  [process where host.os.type == "windows" and event.type == "start" and
 44     process.name : "mshta.exe" and process.args : "-Embedding"
 45  ] by host.id, process.entity_id
 46  [network where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and
 47     network.direction : ("incoming", "ingress") and network.transport == "tcp" and
 48     source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1"
 49  ] by host.id, process.entity_id
 50'''
 51note = """## Triage and analysis
 52
 53> **Disclaimer**:
 54> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 55
 56### Investigating Incoming DCOM Lateral Movement via MSHTA
 57
 58DCOM allows software components to communicate over a network, enabling remote execution of applications like MSHTA, which runs HTML applications. Adversaries exploit this by executing commands remotely, bypassing traditional security measures. The detection rule identifies suspicious MSHTA activity by monitoring process starts and network traffic, focusing on unusual port usage and remote IP addresses, indicating potential lateral movement attempts.
 59
 60### Possible investigation steps
 61
 62- Review the process start event for mshta.exe on the affected host to gather details such as the process entity ID, command-line arguments, and parent process information to understand how mshta.exe was executed.
 63- Analyze the network traffic associated with the mshta.exe process, focusing on the source and destination IP addresses and ports, to identify any unusual or unauthorized remote connections.
 64- Check the source IP address involved in the network event to determine if it is known or associated with any previous suspicious activity or if it belongs to an internal or external network.
 65- Investigate the timeline of events on the host to identify any preceding or subsequent suspicious activities that might indicate a broader attack pattern or lateral movement attempts.
 66- Correlate the findings with other security logs and alerts from the same host or network segment to identify any additional indicators of compromise or related malicious activities.
 67- Assess the risk and impact of the detected activity by considering the host's role within the network and any sensitive data or systems it may have access to.
 68
 69### False positive analysis
 70
 71- Legitimate administrative tasks using MSHTA for remote management can trigger the rule. Identify and document these tasks, then create exceptions for known administrative IP addresses or specific user accounts.
 72- Automated software updates or deployments that utilize MSHTA may appear as suspicious activity. Monitor and whitelist the IP addresses and ports associated with these updates to prevent false positives.
 73- Internal network scanning tools or security assessments might mimic lateral movement behavior. Coordinate with IT and security teams to recognize these activities and exclude them from triggering alerts.
 74- Custom applications that leverage MSHTA for inter-process communication could be flagged. Review these applications and exclude their known processes or network patterns from the detection rule.
 75- Remote desktop or support tools that use MSHTA for legitimate purposes should be identified. Whitelist these tools by their process names or associated network traffic to reduce unnecessary alerts.
 76
 77### Response and remediation
 78
 79- Isolate the affected host immediately from the network to prevent further lateral movement and potential data exfiltration.
 80- Terminate the mshta.exe process on the affected host to stop any ongoing malicious activity.
 81- Conduct a thorough examination of the affected host to identify any additional malicious files or processes, focusing on those initiated around the time of the alert.
 82- Reset credentials for any accounts that were active on the affected host during the time of the alert to prevent unauthorized access.
 83- Review and restrict DCOM permissions and configurations on the affected host and other critical systems to limit the potential for similar attacks.
 84- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems have been compromised.
 85- Update detection mechanisms and threat intelligence feeds to enhance monitoring for similar DCOM-based lateral movement attempts in the future."""
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1021"
 92name = "Remote Services"
 93reference = "https://attack.mitre.org/techniques/T1021/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1021.003"
 96name = "Distributed Component Object Model"
 97reference = "https://attack.mitre.org/techniques/T1021/003/"
 98
 99
100
101[rule.threat.tactic]
102id = "TA0008"
103name = "Lateral Movement"
104reference = "https://attack.mitre.org/tactics/TA0008/"
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1218"
109name = "System Binary Proxy Execution"
110reference = "https://attack.mitre.org/techniques/T1218/"
111[[rule.threat.technique.subtechnique]]
112id = "T1218.005"
113name = "Mshta"
114reference = "https://attack.mitre.org/techniques/T1218/005/"
115
116
117
118[rule.threat.tactic]
119id = "TA0005"
120name = "Defense Evasion"
121reference = "https://attack.mitre.org/tactics/TA0005/"