Sysmon Feature Request: Log Source of DCOM Calls RRS feed

  • Question

  • Hi,
    I was just working on an incident where the first malicious process was mshta.exe, kicked off by a DCOM call (The ParentCommandLine value of the malicious SYSMON_CREATE_PROCESS event was "C:\WINDOWS\system32\svchost.exe -k DcomLaunch"). It would be awesome if there were a way for Sysmon to log the identity of the process that issued the DCOM request resulting in the creation of this process. As far as I'm aware, there's currently no way to track this back explicitly. From the forensic analysis, we're thinking the user downloaded a .hta file, and clicked 'run' on the resultant IE pop-up box, so the DCOM request for the process startup would have come from IE. Can anybody verify that that's how invocation of a downloaded file within IE works?

    Obviously, there are a lot of DCOM requests in Windows, so it would be important to be able to filter by the requesting application (or other source, such as the network).

    Friday, March 23, 2018 5:00 AM

All replies

  • We use COM and DCOM heavily, I'd love to have a tool to give me insight into what might be going on :)
    Sunday, April 1, 2018 11:38 AM
  • It doesn't have to be a downloaded hta. It can be in-line in an html web page or html email.

    <!DOCTYPE html>
            <HTA:APPLICATION ID="host" BORDER="thin" BORDERSTYLE="complex" maximizeButton="yes" minimizeButton="yes" scroll="no"/>
        <script for="prize" event="onClick" language="VBScript">
    Dim notMal
    Set notMal = CreateObject("WScript.Shell")
    notMal.Run "powershell.exe       -e       VwByAGkAdABlAC0ASABvAHMAdAAgACIAUABXAE4ARQBEACIAOwAgAHIAZQBhAGQALQBoAG8AcwB0AA=="
    You're our millionth victim!
                    <input type="button" value="Claim my prize!"/>

    Allowing mshta.exe to run is a sure-fire way to allow adversaries a foothold in your environment.

    Saturday, April 14, 2018 9:54 AM