
Summary
The detection rule identifies suspicious uses of the Distributed Component Object Model (DCOM) technology, particularly focusing on executions of the HTA application through the MSHTA executable. This behavior can indicate an attempt by an attacker to perform lateral movement within a network while trying to evade detection by traditional security measures. The rule monitors for processes initiated with specific arguments ('-Embedding') and tracks network activity, particularly ingress TCP connections from non-local IP addresses on specific port ranges. A high risk score of 73 signifies that such behavior is significant and could suggest an active compromise in the environment.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Network Traffic
- Windows Registry
ATT&CK Techniques
- T1021
- T1021.003
- T1218
- T1218.005
Created: 2020-11-03