Incoming DCOM Lateral Movement with MMC

  1[metadata]
  2creation_date = "2020/11/06"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched
 11via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move
 12laterally.
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.process-*",
 18    "logs-endpoint.events.network-*",
 19    "logs-windows.sysmon_operational-*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Incoming DCOM Lateral Movement with MMC"
 24note = """## Triage and analysis
 25
 26> **Disclaimer**:
 27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 28
 29### Investigating Incoming DCOM Lateral Movement with MMC
 30
 31Distributed Component Object Model (DCOM) enables software components to communicate over a network, often used in Windows environments for remote management. Adversaries exploit DCOM to execute commands remotely, leveraging applications like MMC20 to move laterally. The detection rule identifies suspicious activity by monitoring network traffic and process creation patterns, flagging potential misuse when MMC initiates remote commands, indicating possible lateral movement or defense evasion tactics.
 32
 33### Possible investigation steps
 34
 35- Review the network traffic logs to identify the source IP address that initiated the connection to the host running mmc.exe. Verify if this IP address is known and expected within the network environment.
 36- Examine the process creation logs to confirm the parent-child relationship between mmc.exe and any suspicious processes. Investigate the child processes for any unusual or unauthorized activities.
 37- Check the source and destination ports (both should be >= 49152) involved in the network connection to determine if they align with typical application behavior or if they are indicative of potential misuse.
 38- Investigate the timeline of events to see if there are any other related alerts or activities on the same host or originating from the same source IP address, which could provide additional context or indicate a broader attack pattern.
 39- Correlate the findings with any existing threat intelligence or known attack patterns related to DCOM abuse and lateral movement to assess the potential risk and impact on the organization.
 40
 41### False positive analysis
 42
 43- Legitimate administrative tasks using MMC may trigger the rule. Regularly review and document routine administrative activities to differentiate them from suspicious behavior.
 44- Automated scripts or management tools that use MMC for remote management can cause false positives. Identify and whitelist these tools by their process and network patterns.
 45- Internal network scanning or monitoring tools might mimic the behavior detected by the rule. Exclude known IP addresses or ranges associated with these tools to reduce noise.
 46- Scheduled tasks or maintenance operations that involve MMC could be misinterpreted as lateral movement. Ensure these tasks are logged and recognized as part of normal operations.
 47- Software updates or patches that require MMC to execute remote commands might trigger alerts. Maintain an updated list of such activities and exclude them from triggering the rule.
 48
 49### Response and remediation
 50
 51- Isolate the affected host immediately from the network to prevent further lateral movement and contain the threat.
 52- Terminate any suspicious processes associated with mmc.exe on the affected host to stop any ongoing malicious activity.
 53- Conduct a thorough review of the affected host's event logs and network traffic to identify any additional indicators of compromise or other affected systems.
 54- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access.
 55- Apply patches and updates to the affected systems and any other vulnerable systems in the network to mitigate known vulnerabilities that could be exploited.
 56- Implement network segmentation to limit the ability of threats to move laterally within the network in the future.
 57- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional actions are necessary."""
 58references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"]
 59risk_score = 73
 60rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a"
 61severity = "high"
 62tags = [
 63    "Domain: Endpoint",
 64    "OS: Windows",
 65    "Use Case: Threat Detection",
 66    "Tactic: Lateral Movement",
 67    "Tactic: Defense Evasion",
 68    "Data Source: Elastic Defend",
 69    "Data Source: Sysmon",
 70    "Resources: Investigation Guide",
 71]
 72type = "eql"
 73
 74query = '''
 75sequence by host.id with maxspan=1m
 76 [network where host.os.type == "windows" and event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and
 77 destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and
 78  network.direction : ("incoming", "ingress") and network.transport == "tcp"
 79 ] by process.entity_id
 80 [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "mmc.exe"
 81 ] by process.parent.entity_id
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1021"
 89name = "Remote Services"
 90reference = "https://attack.mitre.org/techniques/T1021/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1021.003"
 93name = "Distributed Component Object Model"
 94reference = "https://attack.mitre.org/techniques/T1021/003/"
 95
 96
 97
 98[rule.threat.tactic]
 99id = "TA0008"
100name = "Lateral Movement"
101reference = "https://attack.mitre.org/tactics/TA0008/"
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1218"
106name = "System Binary Proxy Execution"
107reference = "https://attack.mitre.org/techniques/T1218/"
108[[rule.threat.technique.subtechnique]]
109id = "T1218.014"
110name = "MMC"
111reference = "https://attack.mitre.org/techniques/T1218/014/"
112
113
114
115[rule.threat.tactic]
116id = "TA0005"
117name = "Defense Evasion"
118reference = "https://attack.mitre.org/tactics/TA0005/"