Anthropic-Cybersecurity-Skills/skills/hunting-for-dcom-lateral-movement/references/api-reference.md

DCOM Lateral Movement Detection API Reference

MITRE ATT&CK Mapping

Technique	ID	Description
Remote Services: DCOM	T1021.003	Adversaries use DCOM to execute commands on remote systems
Lateral Movement	TA0008	Tactic covering movement between networked systems
Windows Management Instrumentation	T1047	WMI often correlated with DCOM lateral movement

DCOM COM Objects Abused for Lateral Movement

COM Object	CLSID	Method	Parent Process
MMC20.Application	{49B2791A-B1AE-4C90-9B8E-E860BA07F889}	ExecuteShellCommand	mmc.exe via svchost.exe -k DcomLaunch
ShellWindows	{9BA05972-F6A8-11CF-A442-00A0C90A8F39}	Document.Application.ShellExecute	explorer.exe (existing process)
ShellBrowserWindow	{C08AFD90-F2A1-11D1-8455-00A0C91F3880}	Document.Application.ShellExecute	explorer.exe (existing process)
Excel.Application	{00024500-0000-0000-C000-000000000046}	DDEInitiate / RegisterXLL	excel.exe via svchost.exe -k DcomLaunch
Outlook.Application	{0006F03A-0000-0000-C000-000000000046}	CreateObject	outlook.exe via svchost.exe -k DcomLaunch

Sysmon Event IDs for DCOM Detection

Event ID	Name	DCOM Relevance
1	Process Create	Detects DCOM parent (mmc.exe, dllhost.exe, explorer.exe) spawning suspicious children
3	Network Connection	Captures inbound RPC (port 135) and dynamic high-port DCOM connections
7	Image Loaded	Tracks loading of DCOM-related DLLs (ole32.dll, comsvcs.dll, rpcrt4.dll)
10	Process Access	Detects cross-process access patterns from DCOM processes
11	File Create	Identifies file drops from DCOM-executed commands

Windows Security Event IDs

Event ID	Log	DCOM Context
4624 (Type 3)	Security	Network logon preceding DCOM execution on target
4672	Security	Special privileges assigned during DCOM remote activation
4688	Security	Process creation (alternative to Sysmon EID 1 if enabled)

WMI-Activity Operational Event IDs

Event ID	Description
5857	WMI provider loaded (DCOM can trigger WMI operations)
5858	WMI query error
5860	Temporary WMI event consumer registration
5861	Permanent WMI event consumer registration

Network Indicators

Protocol	Port	Description
TCP	135	RPC Endpoint Mapper - all DCOM starts here
TCP	49152-65535	Dynamic RPC ports for DCOM data transfer
TCP	445	SMB - may follow DCOM for file operations
TCP	139	NetBIOS Session Service

Splunk SPL - DCOM Detection Queries

# MMC20.Application lateral movement
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=1 ParentImage="*\\mmc.exe"
(Image="*\\cmd.exe" OR Image="*\\powershell.exe")
| table _time ComputerName ParentImage Image CommandLine User

# Inbound RPC connections (DCOM prerequisite)
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=3 DestinationPort=135 Initiated="false"
| stats dc(SourceIp) as sources count by ComputerName
| where sources > 3

KQL - Microsoft Sentinel Queries

// DCOM process creation from mmc.exe or dllhost.exe
SysmonEvent
| where EventID == 1
| where ParentImage endswith "\\mmc.exe" or ParentImage endswith "\\dllhost.exe"
| where Image endswith "\\cmd.exe" or Image endswith "\\powershell.exe"
| project TimeGenerated, Computer, ParentImage, Image, CommandLine, User

python-evtx - Parse Sysmon EVTX

from Evtx.Evtx import FileHeader
from lxml import etree

NS = {"evt": "http://schemas.microsoft.com/win/2004/08/events/event"}
with open("Microsoft-Windows-Sysmon%4Operational.evtx", "rb") as f:
    fh = FileHeader(f)
    for record in fh.records():
        root = etree.fromstring(record.xml().encode("utf-8"))
        eid = root.find(".//evt:System/evt:EventID", NS)
        if eid is not None and eid.text == "1":
            data = {e.get("Name"): e.text for e in root.findall(".//evt:EventData/evt:Data", NS)}
            print(data.get("ParentImage"), "->", data.get("Image"))

Atomic Red Team - T1021.003 Test Cases

Atomic Test	Description
MMC20.Application Lateral Movement	Instantiates MMC20.Application DCOM and calls ExecuteShellCommand
ShellWindows Lateral Movement	Uses ShellWindows CLSID for remote command execution
Excel DDE DCOM	Creates remote Excel instance and triggers DDE execution

Impacket - dcomexec.py

# Attack tool reference (for detection validation in authorized testing)
# dcomexec.py creates a DCOM connection and executes commands
# Protocol: Uses MMC20.Application, ShellWindows, or ShellBrowserWindow
python3 dcomexec.py domain/user:password@target_ip "whoami"
python3 dcomexec.py -object MMC20 domain/user:password@target_ip "cmd.exe /c ipconfig"
python3 dcomexec.py -object ShellWindows domain/user:password@target_ip "powershell -c Get-Process"

References

• MITRE ATT&CK T1021.003: https://attack.mitre.org/techniques/T1021/003/
• Cybereason DCOM Research: https://www.cybereason.com/blog/dcom-lateral-movement-techniques
• MDSec DCOM Lateral Movement: https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-2-dcom/
• Elastic Detection Rule: https://www.elastic.co/guide/en/security/8.19/incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.html
• Atomic Red Team T1021.003: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md