{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dcom/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","dcom","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the abuse of Distributed Component Object Model (DCOM) for lateral movement within a Windows environment. DCOM allows software components to communicate across a network, and attackers may leverage it to execute commands remotely. This rule specifically focuses on the use of ShellBrowserWindow or ShellWindows Application COM objects as the launching point for these remote commands. The technique enables stealthy lateral movement, as it leverages legitimate Windows functionality. This activity is detected by identifying incoming TCP connections on high ports associated with \u003ccode\u003eexplorer.exe\u003c/code\u003e spawning child processes, which are indicative of DCOM abuse. The rule is designed to detect this behavior and alert security teams to potential unauthorized lateral movement attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses DCOM to initiate a connection to a target host.\u003c/li\u003e\n\u003cli\u003eThe DCOM connection is established to the target host via high TCP ports (above 49151).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexplorer.exe\u003c/code\u003e process on the target host receives the DCOM connection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ShellBrowserWindow or ShellWindows COM objects to execute commands.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eexplorer.exe\u003c/code\u003e spawns a child process to execute the attacker-supplied command.\u003c/li\u003e\n\u003cli\u003eThe spawned process performs malicious actions, such as reconnaissance or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the target system, leading to potential data exfiltration, system compromise, and further lateral movement within the network. This can result in significant damage, including data breaches, financial losses, and reputational harm. The DCOM protocol is commonly used in many Windows environments, so this technique could be broadly applicable across many victim organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;DCOM Lateral Movement with Explorer.exe\u0026rdquo; to your SIEM and tune for your environment to detect suspicious process creations spawned by explorer.exe.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) and Event ID 1 (Process Creation) logging to ensure the required data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview network activity for incoming TCP connections to high ports (49151+) associated with \u003ccode\u003eexplorer.exe\u003c/code\u003e, as highlighted in the \u0026ldquo;Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows\u0026rdquo; detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual or unexpected child processes spawned by \u003ccode\u003eexplorer.exe\u003c/code\u003e, as detected by the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-dcom-lateral-movement/","summary":"This analytic identifies the use of Distributed Component Object Model (DCOM) to execute commands on a remote host, specifically when launched via ShellBrowserWindow or ShellWindows Application COM objects, indicating potential lateral movement by an attacker.","title":"DCOM Lateral Movement via ShellWindows/ShellBrowserWindow","url":"https://feed.craftedsignal.io/briefs/2024-01-dcom-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["initial-access","defense-evasion","execution","explorer.exe","dcom"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers frequently exploit Windows Explorer (explorer.exe) to execute malicious code due to its inherent trust within the operating system. This involves spawning child processes such as PowerShell, cmd.exe, or other scripting engines via Component Object Model (COM) and Distributed Component Object Model (DCOM). This technique enables attackers to bypass security controls, blending malicious activity with legitimate system processes. The detection rule identifies such anomalies by monitoring child processes of Explorer with specific characteristics, excluding known benign activities, to flag potential threats. This activity is frequently associated with initial access and execution of follow-on malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with an initial access vector such as spearphishing (T1566).\u003c/li\u003e\n\u003cli\u003eA user clicks a malicious link or opens an attachment, leading to code execution.\u003c/li\u003e\n\u003cli\u003eThe initial payload exploits explorer.exe through DCOM using the -Embedding argument.\u003c/li\u003e\n\u003cli\u003eExplorer.exe spawns a child process such as powershell.exe, cmd.exe, or mshta.exe (T1059, T1218).\u003c/li\u003e\n\u003cli\u003eThe spawned process executes malicious commands or scripts.\u003c/li\u003e\n\u003cli\u003eThese commands might download or execute additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, potentially gaining persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is often lateral movement, data exfiltration, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within a trusted process context, bypassing application whitelisting and other security controls. This can lead to initial access, privilege escalation, and persistence within the compromised system. The compromise can remain undetected for extended periods due to the trusted nature of the parent process (explorer.exe), enabling attackers to perform reconnaissance, deploy malware, exfiltrate data, or disrupt services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details to detect suspicious explorer.exe child processes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Explorer Child Process - PowerShell\u0026rdquo; to identify instances of PowerShell spawned by explorer.exe with suspicious arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Explorer Child Process - Scripting Engines\u0026rdquo; to detect other scripting engines launched by explorer.exe.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes like powershell.exe, cmd.exe, cscript.exe, wscript.exe, mshta.exe, regsvr32.exe, and rundll32.exe with a parent process of explorer.exe and the argument \u0026ldquo;-Embedding\u0026rdquo; via process creation logs.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict execution of unsigned or untrusted scripts and executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-explorer-child-process/","summary":"Adversaries abuse the trusted status of explorer.exe to launch malicious scripts or executables, often using DCOM to start processes like PowerShell or cmd.exe, achieving initial access, defense evasion, and execution.","title":"Suspicious Explorer Child Process via DCOM","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-explorer-child-process/"}],"language":"en","title":"CraftedSignal Threat Feed — Dcom","version":"https://jsonfeed.org/version/1.1"}