Query Details
Remote DCOM Child Proc
Query
// DESCRIPTION: A DCOM server spawned a child process after an inbound network connection
// NOTE: DCOM server in-memory execution is possible through procedures like Excel DCOM RegisterXLL and Outlook DCOM CreateObject
// Separate alerts will be created for detecting DCOM lateral movement without child processes
let DCOMInboundConnections = materialize(
DeviceNetworkEvents
// Listening connections accepted spawned by svchost
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessParentFileName == "svchost.exe"
// DCOM server exclusions (before join for optimization)
| where RemoteIP !contains "127.0.0.1" // Loopback traffic TODO: why is this happening? znremote using DCOM on v-xmfax01 -- wsmprovhost.exe
| where InitiatingProcessFileName != "raserver.exe" // Quick Assist -- TODO: cover in another rule
// Get full svchost command line so we can filter on DcomLaunch
| join kind=innerunique DeviceProcessEvents on
DeviceName,
$left.InitiatingProcessId == $right.ProcessId,
$left.InitiatingProcessFileName == $right.FileName
| where InitiatingProcessCommandLine1 contains "svchost.exe -k DcomLaunch"
// Take only what we need for joins and final output -- less mess later
| project DeviceName, FileName, ProcessId, RemoteIP, RemotePort, LocalIP, LocalPort
);
DCOMInboundConnections
// Get DCOM server child processes
| join kind=innerunique DeviceProcessEvents on
DeviceName,
$left.ProcessId == $right.InitiatingProcessId,
$left.FileName == $right.InitiatingProcessFileName
// Clean up old fields -- DCOM server is now parent process
| extend FileName = FileName1, ProcessId = ProcessId1
| project-away *1
| sort by Timestamp
// Child process exclusions
| where FileName != "WerFault.exe" // DCOM server crashExplanation
This KQL (Kusto Query Language) query is designed to detect when a DCOM (Distributed Component Object Model) server spawns a child process after accepting an inbound network connection. Here’s a simplified breakdown of what the query does:
-
Identify Inbound Connections to DCOM Servers:
- The query first looks at network events where an inbound connection was accepted by a process initiated by
svchost.exe. - It excludes loopback traffic (connections from
127.0.0.1) and connections involvingraserver.exe(used by Quick Assist).
- The query first looks at network events where an inbound connection was accepted by a process initiated by
-
Filter for DCOM-Related Processes:
- It joins these network events with process events to filter for processes where the command line includes
svchost.exe -k DcomLaunch, indicating a DCOM server.
- It joins these network events with process events to filter for processes where the command line includes
-
Track Child Processes:
- The query then joins this filtered list with another set of process events to find child processes spawned by these DCOM servers.
- It cleans up the data to focus on relevant fields and sorts the results by timestamp.
-
Exclude Specific Child Processes:
- Finally, it excludes child processes named
WerFault.exe, which is associated with DCOM server crashes.
- Finally, it excludes child processes named
In summary, this query tracks inbound network connections to DCOM servers and identifies any child processes they spawn, while excluding certain known benign processes and connections.
Details
C.J. May
Released: August 5, 2024
Tables
DeviceNetworkEventsDeviceProcessEvents
Keywords
Devices
Operators
materialize|==!contains!=joinon====containsprojectextendproject-awaysort by