Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
Sigma rule (View on GitHub)
1title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
2id: 551d9c1f-816c-445b-a7a6-7a3864720d60
3status: experimental
4description: |
5 Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
6references:
7 - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
8 - https://github.com/grayhatkiller/SharpExShell
9 - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication
10author: Aaron Stratton
11date: 2023/11/13
12tags:
13 - attack.t1021.003
14 - attack.lateral_movement
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_parent:
20 ParentImage|endswith: '\excel.exe'
21 selection_child:
22 - OriginalFileName:
23 - 'foxprow.exe'
24 - 'schdplus.exe'
25 - 'winproj.exe'
26 - Image|endswith:
27 - '\foxprow.exe'
28 - '\schdplus.exe'
29 - '\winproj.exe'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: high
References
-
In this post, we will talk about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed…
Read More -
SharpExShell automates the DCOM lateral movment technique which abuses ActivateMicrosoftApp method of Excel application. - grayhatkiller/SharpExShell
Read More -
Related rules
- Suspicious Non PowerShell WSMAN COM Provider
- MMC Spawning Windows Shell
- Suspicious WSMAN Provider Image Loads
- Possible Impacket DCOMExec Connection Attempt - Zeek
- Remote DCOM/WMI Lateral Movement