Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
Sigma rule (View on GitHub)
1title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
2id: 551d9c1f-816c-445b-a7a6-7a3864720d60
3status: test
4description: |
5 Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
6references:
7 - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
8 - https://github.com/grayhatkiller/SharpExShell
9 - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication
10author: Aaron Stratton
11date: 2023-11-13
12tags:
13 - attack.t1021.003
14 - attack.lateral-movement
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_parent:
20 ParentImage|endswith: '\excel.exe'
21 selection_child:
22 - OriginalFileName:
23 - 'foxprow.exe'
24 - 'schdplus.exe'
25 - 'winproj.exe'
26 - Image|endswith:
27 - '\foxprow.exe'
28 - '\schdplus.exe'
29 - '\winproj.exe'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: high
References
-
In this post, we will talk about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed…
Read More -
SharpExShell automates the DCOM lateral movment technique which abuses ActivateMicrosoftApp method of Excel application. - grayhatkiller/SharpExShell
Read More -
Related rules
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
- HackTool - Potential Impacket Lateral Movement Activity
- MMC Spawning Windows Shell
- Potential DCOM InternetExplorer.Application DLL Hijack
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load