Hi, I was just working on an incident where the first malicious process was mshta.exe, kicked off by a DCOM call (The ParentCommandLine value of the malicious SYSMON_CREATE_PROCESS event was "C:\WINDOWS\system32\svchost.exe -k DcomLaunch"). It would be awesome if there were a way for Sysmon to log the identity of the process that issued the DCOM request resulting in the creation of this process. As far as I'm aware, there's currently no way to track this back explicitly. From the forensic analysis, we're thinking the user downloaded a .hta file, and clicked 'run' on the resultant IE pop-up box, so the DCOM request for the process startup would have come from IE. Can anybody verify that that's how invocation of a downloaded file within IE works?
Obviously, there are a lot of DCOM requests in Windows, so it would be important to be able to filter by the requesting application (or other source, such as the network).
