Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
Sigma rule (View on GitHub)
1title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
2id: 551d9c1f-816c-445b-a7a6-7a3864720d60
3status: experimental
4description: |
5 Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
6references:
7 - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
8 - https://github.com/grayhatkiller/SharpExShell
9 - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication
10author: Aaron Stratton
11date: 2023/11/13
12tags:
13 - attack.t1021.003
14 - attack.lateral_movement
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_parent:
20 ParentImage|endswith: '\excel.exe'
21 selection_child:
22 - OriginalFileName:
23 - 'foxprow.exe'
24 - 'schdplus.exe'
25 - 'winproj.exe'
26 - Image|endswith:
27 - '\foxprow.exe'
28 - '\schdplus.exe'
29 - '\winproj.exe'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: high
References
Related rules
- Suspicious Non PowerShell WSMAN COM Provider
- MMC Spawning Windows Shell
- Suspicious WSMAN Provider Image Loads
- Possible Impacket DCOMExec Connection Attempt - Zeek
- Remote DCOM/WMI Lateral Movement