Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Lateral Movement Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/06"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via
13the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM
14application to stealthily move laterally.
15"""
16from = "now-9m"
17index = [
18    "winlogbeat-*",
19    "logs-endpoint.events.process-*",
20    "logs-endpoint.events.network-*",
21    "logs-windows.sysmon_operational-*",
22]
23language = "eql"
24license = "Elastic License v2"
25name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows"
26references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"]
27risk_score = 47
28rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4"
29severity = "medium"
30tags = [
31    "Domain: Endpoint",
32    "OS: Windows",
33    "Use Case: Threat Detection",
34    "Tactic: Lateral Movement",
35    "Data Source: Elastic Defend",
36    "Data Source: Sysmon",
37]
38type = "eql"
39
40query = '''
41sequence by host.id with maxspan=5s
42 [network where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe" and
43  network.direction : ("incoming", "ingress") and network.transport == "tcp" and
44  source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1"
45 ] by process.entity_id
46 [process where host.os.type == "windows" and event.type == "start" and
47  process.parent.name : "explorer.exe"
48 ] by process.parent.entity_id
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1021"
56name = "Remote Services"
57reference = "https://attack.mitre.org/techniques/T1021/"
58[[rule.threat.technique.subtechnique]]
59id = "T1021.003"
60name = "Distributed Component Object Model"
61reference = "https://attack.mitre.org/techniques/T1021/003/"
62
63
64
65[rule.threat.tactic]
66id = "TA0008"
67name = "Lateral Movement"
68reference = "https://attack.mitre.org/tactics/TA0008/"

References

  • Lateral Movement via DCOM: Round 2

    Most of you are probably aware that there are only so many ways to pivot, or conduct lateral movement to a Windows system. Some of those techniques include psexec, WMI, at, Scheduled Tasks, and Win…


    Read More

Related rules

to-top