Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

Sigma rule (View on GitHub)

 1title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
 2id: 551d9c1f-816c-445b-a7a6-7a3864720d60
 3status: test
 4description: |
 5        Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
 6references:
 7    - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
 8    - https://github.com/grayhatkiller/SharpExShell
 9    - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication
10author: Aaron Stratton
11date: 2023-11-13
12tags:
13    - attack.t1021.003
14    - attack.lateral-movement
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_parent:
20        ParentImage|endswith: '\excel.exe'
21    selection_child:
22        - OriginalFileName:
23          - 'foxprow.exe'
24          - 'schdplus.exe'
25          - 'winproj.exe'
26        - Image|endswith:
27          - '\foxprow.exe'
28          - '\schdplus.exe'
29          - '\winproj.exe'
30    condition: all of selection_*
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top