Detection rules › Splunk
Invoke-DCOM.ps1 - PowerShell (Sysmon)
Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. This use case detects the usage of Invoke-DCOM PowerShell script to remotely obtain arbitrary and direct shellcode execution through Office applications as well as other Windows objects that contain insecure methods. Note: PowerShell logging is recommended for best detection. Detection using other log sources is dependent on commands being run in manner that creates a new process, such as powershell -c.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Lateral Movement | T1021.003 Remote Services: Distributed Component Object Model |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '31900.56999'
title: Invoke-DCOM.ps1 - PowerShell
description: 'Adversaries may use Valid Accounts to interact with remote machines
by taking advantage of Distributed Component Object Model (DCOM). The adversary
may then perform actions as the logged-on user. This use case detects the usage
of Invoke-DCOM PowerShell script to remotely obtain arbitrary and direct shellcode
execution through Office applications as well as other Windows objects that contain
insecure methods. Note: PowerShell logging is recommended for best detection. Detection
using other log sources is dependent on commands being run in manner that creates
a new process, such as powershell -c.'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<")
((("MMC20.Application" OR "ShellWindows" OR "ShellBrowserWindow" OR "CheckDomain"
OR "ServiceCheck" OR "MinimizeAll" OR "ServiceStop" OR "ServiceStart" OR "DetectOffice"
OR "RegisterXLL" OR "ExcelDDE") OR ("9BA05972-F6A8-11CF-A442-00A0C90A8F39" OR "C08AFD90-F2A1-11D1-8455-00A0C91F3880"
OR "7e0423cd-1119-0928-900c-e6d4a52a0715")) OR ("Application.ServiceStart" OR "Application.ServiceStop"
OR "Application.IsServiceRunning" OR "Application.ShutDownWindows" OR "Application.GetSystemInformation"
OR "DDEInitiate" OR "Application.RegisterXLL" OR "Application.ProductCode" OR "Application.MinimizeAll"
OR "ActiveView.ExecuteShellCommand") ("cmd.exe" OR "powershell.exe" OR "pwsh.exe"))
AND NOT ("rundll32.exe" OR TERM(rundll32)) | table _time, host, user, process, parent_process
| bin span=1s | stats values(*) as * by _time, host '
techniques:
- lateral-movement:remote services:distributed component object model
technique_id:
- T1021.003
data_category:
- Windows Sysmon
references:
- https://attack.mitre.org/techniques/T1021/003/
- https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1
- https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<") ((("MMC20.Application" OR "ShellWindows" OR "ShellBrowserWindow" OR "CheckDomain" OR "ServiceCheck" OR "MinimizeAll" OR "ServiceStop" OR "ServiceStart" OR "DetectOffice" OR "RegisterXLL" OR "ExcelDDE") OR ("9BA05972-F6A8-11CF-A442-00A0C90A8F39" OR "C08AFD90-F2A1-11D1-8455-00A0C91F3880" OR "7e0423cd-1119-0928-900c-e6d4a52a0715")) OR ("Application.ServiceStart" OR "Application.ServiceStop" OR "Application.IsServiceRunning" OR "Application.ShutDownWindows" OR "Application.GetSystemInformation" OR "DDEInitiate" OR "Application.RegisterXLL" OR "Application.ProductCode" OR "Application.MinimizeAll" OR "ActiveView.ExecuteShellCommand") ("cmd.exe" OR "powershell.exe" OR "pwsh.exe")) AND NOT ("rundll32.exe" OR TERM(rundll32))
Stage 2: table
| table _time, host, user, process, parent_process
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | "MMC20.Application" |
| 1 | "ShellWindows" |
| 1 | "ShellBrowserWindow" |
| 1 | "CheckDomain" |
| 1 | "ServiceCheck" |
| 1 | "MinimizeAll" |
| 1 | "ServiceStop" |
| 1 | "ServiceStart" |
| 1 | "DetectOffice" |
| 1 | "RegisterXLL" |
| 1 | "ExcelDDE" |
| 1 | "9BA05972-F6A8-11CF-A442-00A0C90A8F39" |
| 1 | "C08AFD90-F2A1-11D1-8455-00A0C91F3880" |
| 1 | "7e0423cd-1119-0928-900c-e6d4a52a0715" |
| 1 | "Application.ServiceStart" |
| 1 | "Application.ServiceStop" |
| 1 | "Application.IsServiceRunning" |
| 1 | "Application.ShutDownWindows" |
| 1 | "Application.GetSystemInformation" |
| 1 | "DDEInitiate" |
| 1 | "Application.RegisterXLL" |
| 1 | "Application.ProductCode" |
| 1 | "Application.MinimizeAll" |
| 1 | "ActiveView.ExecuteShellCommand" |
| 1 | "cmd.exe" |
| 1 | "powershell.exe" |
| 1 | "pwsh.exe" |
| 1 | "rundll32.exe" |
| 1 | TERM |
| 1 | rundll32 |