Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/06"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via
13the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM
14application to stealthily move laterally.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-endpoint.events.network-*",
21 "logs-windows.sysmon_operational-*",
22]
23language = "eql"
24license = "Elastic License v2"
25name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows"
26references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"]
27risk_score = 47
28rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4"
29severity = "medium"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Lateral Movement",
35 "Data Source: Elastic Defend",
36 "Data Source: Sysmon",
37 "Resources: Investigation Guide",
38]
39type = "eql"
40
41query = '''
42sequence by host.id with maxspan=5s
43 [network where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe" and
44 network.direction : ("incoming", "ingress") and network.transport == "tcp" and
45 source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1"
46 ] by process.entity_id
47 [process where host.os.type == "windows" and event.type == "start" and
48 process.parent.name : "explorer.exe"
49 ] by process.parent.entity_id
50'''
51note = """## Triage and analysis
52
53> **Disclaimer**:
54> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
55
56### Investigating Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
57
58DCOM enables software components to communicate over a network, often used in Windows environments for legitimate inter-process communication. Adversaries exploit DCOM, particularly ShellBrowserWindow or ShellWindows, to execute commands remotely, facilitating stealthy lateral movement. The detection rule identifies suspicious network activity and process creation patterns, such as incoming TCP connections to high ports and explorer.exe spawning processes, which may indicate DCOM abuse.
59
60### Possible investigation steps
61
62- Review the network activity to identify the source IP address of the incoming TCP connection. Verify if the source IP is known or expected within the network environment.
63- Examine the process tree for explorer.exe to identify any unusual or unexpected child processes that were spawned. Investigate these processes for any signs of malicious activity.
64- Check the destination port and source port numbers to determine if they are commonly used for legitimate services or if they are unusual for the environment.
65- Correlate the event with other security logs or alerts to identify any additional suspicious activities or patterns associated with the same source IP or process entity.
66- Investigate the user account associated with the explorer.exe process to determine if there are any signs of compromise or unauthorized access.
67- Review historical data for any previous occurrences of similar network connections or process creations to identify potential patterns or repeated attempts.
68
69### False positive analysis
70
71- Legitimate software updates or installations may trigger the rule due to the use of DCOM for remote management tasks. Users can create exceptions for known update processes by identifying their specific network and process patterns.
72- Internal IT management tools that utilize DCOM for remote administration might cause false positives. Review and whitelist these tools by confirming their source IP addresses and process behaviors.
73- Automated scripts or scheduled tasks that leverage DCOM for legitimate purposes can be mistaken for lateral movement. Document and exclude these tasks by correlating their execution times and process chains.
74- Network scanning or monitoring tools that generate high-port TCP connections could be misinterpreted as suspicious activity. Validate and exclude these tools by cross-referencing their network traffic with known benign sources.
75- User-initiated remote desktop sessions or file transfers using DCOM may appear as lateral movement. Verify and exclude these activities by checking user authentication logs and session details.
76
77### Response and remediation
78
79- Isolate the affected host immediately from the network to prevent further lateral movement and potential data exfiltration.
80- Terminate any suspicious processes spawned by explorer.exe that are not part of normal operations, focusing on those initiated through high TCP ports.
81- Conduct a thorough review of recent network connections and process creation logs on the affected host to identify any additional compromised systems or lateral movement attempts.
82- Reset credentials for any accounts that were active on the affected host during the time of the alert to prevent unauthorized access.
83- Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited during the attack.
84- Enhance monitoring and logging on the network to detect similar DCOM abuse attempts, ensuring that alerts are configured for high TCP port activity and unusual process spawning by explorer.exe.
85- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment or remediation actions are necessary."""
86
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1021"
92name = "Remote Services"
93reference = "https://attack.mitre.org/techniques/T1021/"
94[[rule.threat.technique.subtechnique]]
95id = "T1021.003"
96name = "Distributed Component Object Model"
97reference = "https://attack.mitre.org/techniques/T1021/003/"
98
99
100
101[rule.threat.tactic]
102id = "TA0008"
103name = "Lateral Movement"
104reference = "https://attack.mitre.org/tactics/TA0008/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
DCOM enables software components to communicate over a network, often used in Windows environments for legitimate inter-process communication. Adversaries exploit DCOM, particularly ShellBrowserWindow or ShellWindows, to execute commands remotely, facilitating stealthy lateral movement. The detection rule identifies suspicious network activity and process creation patterns, such as incoming TCP connections to high ports and explorer.exe spawning processes, which may indicate DCOM abuse.
Possible investigation steps
- Review the network activity to identify the source IP address of the incoming TCP connection. Verify if the source IP is known or expected within the network environment.
- Examine the process tree for explorer.exe to identify any unusual or unexpected child processes that were spawned. Investigate these processes for any signs of malicious activity.
- Check the destination port and source port numbers to determine if they are commonly used for legitimate services or if they are unusual for the environment.
- Correlate the event with other security logs or alerts to identify any additional suspicious activities or patterns associated with the same source IP or process entity.
- Investigate the user account associated with the explorer.exe process to determine if there are any signs of compromise or unauthorized access.
- Review historical data for any previous occurrences of similar network connections or process creations to identify potential patterns or repeated attempts.
False positive analysis
- Legitimate software updates or installations may trigger the rule due to the use of DCOM for remote management tasks. Users can create exceptions for known update processes by identifying their specific network and process patterns.
- Internal IT management tools that utilize DCOM for remote administration might cause false positives. Review and whitelist these tools by confirming their source IP addresses and process behaviors.
- Automated scripts or scheduled tasks that leverage DCOM for legitimate purposes can be mistaken for lateral movement. Document and exclude these tasks by correlating their execution times and process chains.
- Network scanning or monitoring tools that generate high-port TCP connections could be misinterpreted as suspicious activity. Validate and exclude these tools by cross-referencing their network traffic with known benign sources.
- User-initiated remote desktop sessions or file transfers using DCOM may appear as lateral movement. Verify and exclude these activities by checking user authentication logs and session details.
Response and remediation
- Isolate the affected host immediately from the network to prevent further lateral movement and potential data exfiltration.
- Terminate any suspicious processes spawned by explorer.exe that are not part of normal operations, focusing on those initiated through high TCP ports.
- Conduct a thorough review of recent network connections and process creation logs on the affected host to identify any additional compromised systems or lateral movement attempts.
- Reset credentials for any accounts that were active on the affected host during the time of the alert to prevent unauthorized access.
- Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited during the attack.
- Enhance monitoring and logging on the network to detect similar DCOM abuse attempts, ensuring that alerts are configured for high TCP port activity and unusual process spawning by explorer.exe.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment or remediation actions are necessary.
References
Related rules
- Execution via TSClient Mountpoint
- Incoming DCOM Lateral Movement via MSHTA
- Incoming DCOM Lateral Movement with MMC
- Incoming Execution via PowerShell Remoting
- Incoming Execution via WinRM Remote Shell