Incoming DCOM Lateral Movement via MSHTA

calendar Apr 16, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Lateral Movement Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/03"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/08"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are
13launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move
14laterally while attempting to evade detection.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Incoming DCOM Lateral Movement via MSHTA"
21references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"]
22risk_score = 73
23rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520"
24severity = "high"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"]
26type = "eql"
27
28query = '''
29sequence with maxspan=1m
30  [process where host.os.type == "windows" and event.type == "start" and
31     process.name : "mshta.exe" and process.args : "-Embedding"
32  ] by host.id, process.entity_id
33  [network where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and
34     network.direction : ("incoming", "ingress") and network.transport == "tcp" and
35     source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1"
36  ] by host.id, process.entity_id
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1021"
44name = "Remote Services"
45reference = "https://attack.mitre.org/techniques/T1021/"
46[[rule.threat.technique.subtechnique]]
47id = "T1021.003"
48name = "Distributed Component Object Model"
49reference = "https://attack.mitre.org/techniques/T1021/003/"
50
51
52
53[rule.threat.tactic]
54id = "TA0008"
55name = "Lateral Movement"
56reference = "https://attack.mitre.org/tactics/TA0008/"
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1218"
61name = "System Binary Proxy Execution"
62reference = "https://attack.mitre.org/techniques/T1218/"
63[[rule.threat.technique.subtechnique]]
64id = "T1218.005"
65name = "Mshta"
66reference = "https://attack.mitre.org/techniques/T1218/005/"
67
68
69
70[rule.threat.tactic]
71id = "TA0005"
72name = "Defense Evasion"
73reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top