mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-15 20:25:18 +03:00
Add 30 new production-grade cybersecurity skills: AI security, supply chain, firmware, cloud-native, compliance, deception, crypto, threat hunting, purple team, OT, privacy
This commit is contained in:
@@ -0,0 +1,126 @@
|
||||
# DCOM Lateral Movement Detection API Reference
|
||||
|
||||
## MITRE ATT&CK Mapping
|
||||
|
||||
| Technique | ID | Description |
|
||||
|-----------|----|-------------|
|
||||
| Remote Services: DCOM | T1021.003 | Adversaries use DCOM to execute commands on remote systems |
|
||||
| Lateral Movement | TA0008 | Tactic covering movement between networked systems |
|
||||
| Windows Management Instrumentation | T1047 | WMI often correlated with DCOM lateral movement |
|
||||
|
||||
## DCOM COM Objects Abused for Lateral Movement
|
||||
|
||||
| COM Object | CLSID | Method | Parent Process |
|
||||
|------------|-------|--------|---------------|
|
||||
| MMC20.Application | {49B2791A-B1AE-4C90-9B8E-E860BA07F889} | ExecuteShellCommand | mmc.exe via svchost.exe -k DcomLaunch |
|
||||
| ShellWindows | {9BA05972-F6A8-11CF-A442-00A0C90A8F39} | Document.Application.ShellExecute | explorer.exe (existing process) |
|
||||
| ShellBrowserWindow | {C08AFD90-F2A1-11D1-8455-00A0C91F3880} | Document.Application.ShellExecute | explorer.exe (existing process) |
|
||||
| Excel.Application | {00024500-0000-0000-C000-000000000046} | DDEInitiate / RegisterXLL | excel.exe via svchost.exe -k DcomLaunch |
|
||||
| Outlook.Application | {0006F03A-0000-0000-C000-000000000046} | CreateObject | outlook.exe via svchost.exe -k DcomLaunch |
|
||||
|
||||
## Sysmon Event IDs for DCOM Detection
|
||||
|
||||
| Event ID | Name | DCOM Relevance |
|
||||
|----------|------|----------------|
|
||||
| 1 | Process Create | Detects DCOM parent (mmc.exe, dllhost.exe, explorer.exe) spawning suspicious children |
|
||||
| 3 | Network Connection | Captures inbound RPC (port 135) and dynamic high-port DCOM connections |
|
||||
| 7 | Image Loaded | Tracks loading of DCOM-related DLLs (ole32.dll, comsvcs.dll, rpcrt4.dll) |
|
||||
| 10 | Process Access | Detects cross-process access patterns from DCOM processes |
|
||||
| 11 | File Create | Identifies file drops from DCOM-executed commands |
|
||||
|
||||
## Windows Security Event IDs
|
||||
|
||||
| Event ID | Log | DCOM Context |
|
||||
|----------|-----|-------------|
|
||||
| 4624 (Type 3) | Security | Network logon preceding DCOM execution on target |
|
||||
| 4672 | Security | Special privileges assigned during DCOM remote activation |
|
||||
| 4688 | Security | Process creation (alternative to Sysmon EID 1 if enabled) |
|
||||
|
||||
## WMI-Activity Operational Event IDs
|
||||
|
||||
| Event ID | Description |
|
||||
|----------|-------------|
|
||||
| 5857 | WMI provider loaded (DCOM can trigger WMI operations) |
|
||||
| 5858 | WMI query error |
|
||||
| 5860 | Temporary WMI event consumer registration |
|
||||
| 5861 | Permanent WMI event consumer registration |
|
||||
|
||||
## Network Indicators
|
||||
|
||||
| Protocol | Port | Description |
|
||||
|----------|------|-------------|
|
||||
| TCP | 135 | RPC Endpoint Mapper - all DCOM starts here |
|
||||
| TCP | 49152-65535 | Dynamic RPC ports for DCOM data transfer |
|
||||
| TCP | 445 | SMB - may follow DCOM for file operations |
|
||||
| TCP | 139 | NetBIOS Session Service |
|
||||
|
||||
## Splunk SPL - DCOM Detection Queries
|
||||
|
||||
```spl
|
||||
# MMC20.Application lateral movement
|
||||
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
|
||||
EventCode=1 ParentImage="*\\mmc.exe"
|
||||
(Image="*\\cmd.exe" OR Image="*\\powershell.exe")
|
||||
| table _time ComputerName ParentImage Image CommandLine User
|
||||
|
||||
# Inbound RPC connections (DCOM prerequisite)
|
||||
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
|
||||
EventCode=3 DestinationPort=135 Initiated="false"
|
||||
| stats dc(SourceIp) as sources count by ComputerName
|
||||
| where sources > 3
|
||||
```
|
||||
|
||||
## KQL - Microsoft Sentinel Queries
|
||||
|
||||
```kql
|
||||
// DCOM process creation from mmc.exe or dllhost.exe
|
||||
SysmonEvent
|
||||
| where EventID == 1
|
||||
| where ParentImage endswith "\\mmc.exe" or ParentImage endswith "\\dllhost.exe"
|
||||
| where Image endswith "\\cmd.exe" or Image endswith "\\powershell.exe"
|
||||
| project TimeGenerated, Computer, ParentImage, Image, CommandLine, User
|
||||
```
|
||||
|
||||
## python-evtx - Parse Sysmon EVTX
|
||||
|
||||
```python
|
||||
from Evtx.Evtx import FileHeader
|
||||
from lxml import etree
|
||||
|
||||
NS = {"evt": "http://schemas.microsoft.com/win/2004/08/events/event"}
|
||||
with open("Microsoft-Windows-Sysmon%4Operational.evtx", "rb") as f:
|
||||
fh = FileHeader(f)
|
||||
for record in fh.records():
|
||||
root = etree.fromstring(record.xml().encode("utf-8"))
|
||||
eid = root.find(".//evt:System/evt:EventID", NS)
|
||||
if eid is not None and eid.text == "1":
|
||||
data = {e.get("Name"): e.text for e in root.findall(".//evt:EventData/evt:Data", NS)}
|
||||
print(data.get("ParentImage"), "->", data.get("Image"))
|
||||
```
|
||||
|
||||
## Atomic Red Team - T1021.003 Test Cases
|
||||
|
||||
| Atomic Test | Description |
|
||||
|-------------|-------------|
|
||||
| MMC20.Application Lateral Movement | Instantiates MMC20.Application DCOM and calls ExecuteShellCommand |
|
||||
| ShellWindows Lateral Movement | Uses ShellWindows CLSID for remote command execution |
|
||||
| Excel DDE DCOM | Creates remote Excel instance and triggers DDE execution |
|
||||
|
||||
## Impacket - dcomexec.py
|
||||
|
||||
```bash
|
||||
# Attack tool reference (for detection validation in authorized testing)
|
||||
# dcomexec.py creates a DCOM connection and executes commands
|
||||
# Protocol: Uses MMC20.Application, ShellWindows, or ShellBrowserWindow
|
||||
python3 dcomexec.py domain/user:password@target_ip "whoami"
|
||||
python3 dcomexec.py -object MMC20 domain/user:password@target_ip "cmd.exe /c ipconfig"
|
||||
python3 dcomexec.py -object ShellWindows domain/user:password@target_ip "powershell -c Get-Process"
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
- MITRE ATT&CK T1021.003: https://attack.mitre.org/techniques/T1021/003/
|
||||
- Cybereason DCOM Research: https://www.cybereason.com/blog/dcom-lateral-movement-techniques
|
||||
- MDSec DCOM Lateral Movement: https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-2-dcom/
|
||||
- Elastic Detection Rule: https://www.elastic.co/guide/en/security/8.19/incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.html
|
||||
- Atomic Red Team T1021.003: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md
|
||||
Reference in New Issue
Block a user