Detection rules › Kusto Query Language

Lateral Movement via DCOM

Source: upstream

'This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network. Ref: http://thenegative.zone/incident response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html'

MITRE ATT&CK coverage

Tactic	Techniques
Lateral Movement	`T1021.003` Remote Services: Distributed Component Object Model

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `source`

Event

Stage 2: `where`

and
  EventID eq "1"
  EventLog eq "Microsoft-Windows-Sysmon/Operational"

Stage 3: `parse`

Stage 4: `where`

and
  CommandLine eq "C:\\\\Windows\\\\System32\\\\mmc.exe -Embedding"
  ParentCommandLine eq "C:\\\\Windows\\\\System32\\\\svchost.exe -k DcomLaunch"

Stage 5: `parse`

Stage 6: `summarize`

Stage 7: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	eq	`C:\\Windows\\System32\\mmc.exe -Embedding`
`EventID`	eq	`1` corpus 3 (splunk 3)
`EventLog`	eq	`Microsoft-Windows-Sysmon/Operational`
`ParentCommandLine`	eq	`C:\\Windows\\System32\\svchost.exe -k DcomLaunch`

Lateral Movement via DCOM

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: parse

Stage 4: where

Stage 5: parse

Stage 6: summarize

Stage 7: extend