Incoming DCOM Lateral Movement with MMC
Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/06"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched
13via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move
14laterally.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-endpoint.events.network-*",
21 "logs-windows.sysmon_operational-*",
22]
23language = "eql"
24license = "Elastic License v2"
25name = "Incoming DCOM Lateral Movement with MMC"
26references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"]
27risk_score = 73
28rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a"
29severity = "high"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Lateral Movement",
35 "Tactic: Defense Evasion",
36 "Data Source: Elastic Defend",
37 "Data Source: Sysmon",
38 "Resources: Investigation Guide",
39]
40type = "eql"
41
42query = '''
43sequence by host.id with maxspan=1m
44 [network where host.os.type == "windows" and event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and
45 destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and
46 network.direction : ("incoming", "ingress") and network.transport == "tcp"
47 ] by process.entity_id
48 [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "mmc.exe"
49 ] by process.parent.entity_id
50'''
51note = """## Triage and analysis
52
53> **Disclaimer**:
54> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
55
56### Investigating Incoming DCOM Lateral Movement with MMC
57
58Distributed Component Object Model (DCOM) enables software components to communicate over a network, often used in Windows environments for remote management. Adversaries exploit DCOM to execute commands remotely, leveraging applications like MMC20 to move laterally. The detection rule identifies suspicious activity by monitoring network traffic and process creation patterns, flagging potential misuse when MMC initiates remote commands, indicating possible lateral movement or defense evasion tactics.
59
60### Possible investigation steps
61
62- Review the network traffic logs to identify the source IP address that initiated the connection to the host running mmc.exe. Verify if this IP address is known and expected within the network environment.
63- Examine the process creation logs to confirm the parent-child relationship between mmc.exe and any suspicious processes. Investigate the child processes for any unusual or unauthorized activities.
64- Check the source and destination ports (both should be >= 49152) involved in the network connection to determine if they align with typical application behavior or if they are indicative of potential misuse.
65- Investigate the timeline of events to see if there are any other related alerts or activities on the same host or originating from the same source IP address, which could provide additional context or indicate a broader attack pattern.
66- Correlate the findings with any existing threat intelligence or known attack patterns related to DCOM abuse and lateral movement to assess the potential risk and impact on the organization.
67
68### False positive analysis
69
70- Legitimate administrative tasks using MMC may trigger the rule. Regularly review and document routine administrative activities to differentiate them from suspicious behavior.
71- Automated scripts or management tools that use MMC for remote management can cause false positives. Identify and whitelist these tools by their process and network patterns.
72- Internal network scanning or monitoring tools might mimic the behavior detected by the rule. Exclude known IP addresses or ranges associated with these tools to reduce noise.
73- Scheduled tasks or maintenance operations that involve MMC could be misinterpreted as lateral movement. Ensure these tasks are logged and recognized as part of normal operations.
74- Software updates or patches that require MMC to execute remote commands might trigger alerts. Maintain an updated list of such activities and exclude them from triggering the rule.
75
76### Response and remediation
77
78- Isolate the affected host immediately from the network to prevent further lateral movement and contain the threat.
79- Terminate any suspicious processes associated with mmc.exe on the affected host to stop any ongoing malicious activity.
80- Conduct a thorough review of the affected host's event logs and network traffic to identify any additional indicators of compromise or other affected systems.
81- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access.
82- Apply patches and updates to the affected systems and any other vulnerable systems in the network to mitigate known vulnerabilities that could be exploited.
83- Implement network segmentation to limit the ability of threats to move laterally within the network in the future.
84- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional actions are necessary."""
85
86
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1021"
91name = "Remote Services"
92reference = "https://attack.mitre.org/techniques/T1021/"
93[[rule.threat.technique.subtechnique]]
94id = "T1021.003"
95name = "Distributed Component Object Model"
96reference = "https://attack.mitre.org/techniques/T1021/003/"
97
98
99
100[rule.threat.tactic]
101id = "TA0008"
102name = "Lateral Movement"
103reference = "https://attack.mitre.org/tactics/TA0008/"
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1218"
108name = "System Binary Proxy Execution"
109reference = "https://attack.mitre.org/techniques/T1218/"
110[[rule.threat.technique.subtechnique]]
111id = "T1218.014"
112name = "MMC"
113reference = "https://attack.mitre.org/techniques/T1218/014/"
114
115
116
117[rule.threat.tactic]
118id = "TA0005"
119name = "Defense Evasion"
120reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Incoming DCOM Lateral Movement with MMC
Distributed Component Object Model (DCOM) enables software components to communicate over a network, often used in Windows environments for remote management. Adversaries exploit DCOM to execute commands remotely, leveraging applications like MMC20 to move laterally. The detection rule identifies suspicious activity by monitoring network traffic and process creation patterns, flagging potential misuse when MMC initiates remote commands, indicating possible lateral movement or defense evasion tactics.
Possible investigation steps
- Review the network traffic logs to identify the source IP address that initiated the connection to the host running mmc.exe. Verify if this IP address is known and expected within the network environment.
- Examine the process creation logs to confirm the parent-child relationship between mmc.exe and any suspicious processes. Investigate the child processes for any unusual or unauthorized activities.
- Check the source and destination ports (both should be >= 49152) involved in the network connection to determine if they align with typical application behavior or if they are indicative of potential misuse.
- Investigate the timeline of events to see if there are any other related alerts or activities on the same host or originating from the same source IP address, which could provide additional context or indicate a broader attack pattern.
- Correlate the findings with any existing threat intelligence or known attack patterns related to DCOM abuse and lateral movement to assess the potential risk and impact on the organization.
False positive analysis
- Legitimate administrative tasks using MMC may trigger the rule. Regularly review and document routine administrative activities to differentiate them from suspicious behavior.
- Automated scripts or management tools that use MMC for remote management can cause false positives. Identify and whitelist these tools by their process and network patterns.
- Internal network scanning or monitoring tools might mimic the behavior detected by the rule. Exclude known IP addresses or ranges associated with these tools to reduce noise.
- Scheduled tasks or maintenance operations that involve MMC could be misinterpreted as lateral movement. Ensure these tasks are logged and recognized as part of normal operations.
- Software updates or patches that require MMC to execute remote commands might trigger alerts. Maintain an updated list of such activities and exclude them from triggering the rule.
Response and remediation
- Isolate the affected host immediately from the network to prevent further lateral movement and contain the threat.
- Terminate any suspicious processes associated with mmc.exe on the affected host to stop any ongoing malicious activity.
- Conduct a thorough review of the affected host's event logs and network traffic to identify any additional indicators of compromise or other affected systems.
- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access.
- Apply patches and updates to the affected systems and any other vulnerable systems in the network to mitigate known vulnerabilities that could be exploited.
- Implement network segmentation to limit the ability of threats to move laterally within the network in the future.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional actions are necessary.
References
Related rules
- Local Account TokenFilter Policy Disabled
- NullSessionPipe Registry Modification
- RDP Enabled via Registry
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Attempt to Install Kali Linux via WSL