hunting-for-dcom-lateral-movement
Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, ShellBrowserWindow, and ShellWindows COM objects through Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) correlation, WMI event analysis, RPC endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships.
What this skill does
# Hunting for DCOM Lateral Movement
> **Authorized Testing Disclaimer**: The offensive techniques and attack simulations described in this skill are intended exclusively for authorized penetration testing, red team engagements, purple team exercises, and security research conducted with explicit written permission from the system owner. Unauthorized use of these techniques against systems you do not own or have permission to test is illegal and unethical. Always operate within the scope of your engagement and comply with applicable laws and regulations.
## Overview
Distributed Component Object Model (DCOM) enables remote execution of COM objects across a network using RPC. Adversaries abuse specific DCOM objects -- MMC20.Application (CLSID {49B2791A-B1AE-4C90-9B8E-E860BA07F889}), ShellBrowserWindow (CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880}), and ShellWindows (CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39}) -- to execute commands on remote hosts without dropping files, making this a stealthy lateral movement technique mapped to MITRE ATT&CK T1021.003. This skill provides detection strategies using Sysmon telemetry, Windows Security Event correlation, network monitoring, and SIEM detection rules to identify DCOM abuse in enterprise environments.
## When to Use
- Proactively hunting for lateral movement in Active Directory environments where DCOM is enabled
- Investigating alerts for suspicious mmc.exe, dllhost.exe, or explorer.exe child process creation on servers
- Building detection rules for MITRE ATT&CK T1021.003 (Remote Services: Distributed Component Object Model)
- Correlating Sysmon Event ID 1 (Process Create) and Event ID 3 (Network Connection) to trace DCOM-based command execution chains
- Auditing DCOM exposure across the domain to reduce lateral movement attack surface
- During purple team exercises validating detection coverage for DCOM-based techniques
**Do not use** as a replacement for EDR-based lateral movement detection, without Sysmon or equivalent process telemetry deployed on endpoints, or in isolation without correlating network-level and host-level indicators.
## Prerequisites
- Sysmon deployed on endpoints with configuration capturing Event ID 1 (Process Create), Event ID 3 (Network Connection), Event ID 7 (Image Loaded), and Event ID 10 (Process Access)
- Windows Security Event Logs forwarded to SIEM (Event IDs 4624, 4672, 4688)
- SIEM platform (Splunk, Elastic, Microsoft Sentinel) with correlation capability
- Network monitoring for RPC traffic (TCP 135 and dynamic high ports 49152-65535)
- Baseline inventory of legitimate DCOM usage in the environment
- Understanding of MITRE ATT&CK Lateral Movement tactic (TA0008) and T1021.003
## Workflow
### Step 1: Understand DCOM Lateral Movement Attack Vectors
DCOM lateral movement exploits three primary COM objects. Each has distinct forensic artifacts.
**MMC20.Application** -- The attacker instantiates the MMC snap-in remotely and calls `ExecuteShellCommand` to run arbitrary commands on the target. This spawns mmc.exe as a child of svchost.exe (DcomLaunch service) on the target.
**ShellBrowserWindow** -- Uses the `Document.Application.ShellExecute` method to execute commands through an existing explorer.exe process. Unlike MMC20, this does not create a new process for the COM server itself, making it stealthier.
**ShellWindows** -- Similar to ShellBrowserWindow, it activates within an existing explorer.exe instance and executes child processes from explorer.exe. The absence of a new COM server process makes it harder to detect without proper telemetry.
```powershell
# ATTACK SIMULATION (authorized testing only)
# These commands demonstrate what adversaries execute -- use only in lab environments
# MMC20.Application lateral movement
# $dcom = [System.Activator]::CreateInstance(
# [Type]::GetTypeFromProgID("MMC20.Application", "TARGET_IP"))
# $dcom.Document.ActiveView.ExecuteShellCommand(
# "cmd.exe", $null, "/c whoami > C:\temp\output.txt", "7")
# ShellWindows lateral movement
# $dcom = [System.Activator]::CreateInstance(
# [Type]::GetTypeFromCLSID(
# [guid]"9BA05972-F6A8-11CF-A442-00A0C90A8F39", "TARGET_IP"))
# $dcom.item().Document.Application.ShellExecute(
# "cmd.exe", "/c calc.exe", "C:\windows\system32", $null, 0)
# ShellBrowserWindow lateral movement
# $dcom = [System.Activator]::CreateInstance(
# [Type]::GetTypeFromCLSID(
# [guid]"C08AFD90-F2A1-11D1-8455-00A0C91F3880", "TARGET_IP"))
# $dcom.Document.Application.ShellExecute(
# "cmd.exe", "/c net user", "C:\windows\system32", $null, 0)
```
### Step 2: Configure Sysmon for DCOM Detection
```xml
<!-- Sysmon configuration excerpt for DCOM lateral movement detection -->
<!-- Add these rules to your existing Sysmon config -->
<Sysmon schemaversion="4.90">
<EventFiltering>
<!-- Event ID 1: Process Creation - Detect DCOM-spawned processes -->
<RuleGroup name="DCOM_ProcessCreate" groupRelation="or">
<ProcessCreate onmatch="include">
<!-- MMC20.Application: mmc.exe spawning child processes -->
<ParentImage condition="end with">mmc.exe</ParentImage>
<!-- DcomLaunch service spawning COM servers -->
<ParentCommandLine condition="contains">DcomLaunch</ParentCommandLine>
<!-- dllhost.exe spawning suspicious children -->
<ParentImage condition="end with">dllhost.exe</ParentImage>
<!-- explorer.exe spawning cmd/powershell (ShellWindows/ShellBrowserWindow) -->
<Rule groupRelation="and">
<ParentImage condition="end with">explorer.exe</ParentImage>
<Image condition="end with">cmd.exe</Image>
</Rule>
<Rule groupRelation="and">
<ParentImage condition="end with">explorer.exe</ParentImage>
<Image condition="end with">powershell.exe</Image>
</Rule>
</ProcessCreate>
</RuleGroup>
<!-- Event ID 3: Network Connection - Track DCOM RPC connections -->
<RuleGroup name="DCOM_NetworkConnect" groupRelation="or">
<NetworkConnect onmatch="include">
<!-- RPC Endpoint Mapper -->
<DestinationPort condition="is">135</DestinationPort>
<!-- DCOM processes making network connections -->
<Image condition="end with">mmc.exe</Image>
<Image condition="end with">dllhost.exe</Image>
<!-- svchost.exe DcomLaunch connections -->
<Rule groupRelation="and">
<Image condition="end with">svchost.exe</Image>
<DestinationPort condition="more than">49151</DestinationPort>
</Rule>
</NetworkConnect>
</RuleGroup>
<!-- Event ID 7: Image Loaded - DCOM-related DLLs -->
<RuleGroup name="DCOM_ImageLoaded" groupRelation="or">
<ImageLoad onmatch="include">
<ImageLoaded condition="end with">comsvcs.dll</ImageLoaded>
<ImageLoaded condition="end with">ole32.dll</ImageLoaded>
<ImageLoaded condition="end with">rpcrt4.dll</ImageLoaded>
</ImageLoad>
</RuleGroup>
</EventFiltering>
</Sysmon>
```
```bash
# Deploy or update Sysmon configuration
# sysmon64.exe -c dcom-detection-sysmon.xml
# Verify Sysmon is capturing DCOM events
# PowerShell: Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10 |
# Where-Object { $_.Id -in @(1,3) } | Format-Table TimeCreated, Id, Message -Wrap
```
### Step 3: Build SIEM Detection Rules for DCOM Object Abuse
```yaml
# Sigma Rule: MMC20.Application DCOM Lateral Movement
title: DCOM Lateral Movement via MMC20.Application
id: 8a3b5f2e-c1d4-4a9f-b237-1e6f8d2c3a4b
status: stable
description: >
Detects remote instantiation of MMC20.Application DCOM object by monitoring
for mmc.exe spawned by svchost.exe DcomLaunch service with subsequent child
process creation, indicating T1021.003 lateral movement.
references:
- https://attack.mitre.org/techniques/T1021/003/
- https://www.cybereason.com/blog/dcom-lateral-movement-techniques
- https://www.mdsec.co.uk/2020/09/i-likRelated in General
modeling-omnistudio-epc-catalog
IncludedSalesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).
relationship-science-coach
IncludedUse this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.
building-sf-integrations
IncludedSalesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).
venue-templates
IncludedAccess comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
let-fate-decide
IncludedDraws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.
net-ops
IncludedCross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.