PH_Rule_SIGMA_458
Enabled
Detects a Windows command line executable started from MMC. This rule is adapted from https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml
7
Security
Lateral Movement
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
https://attack.mitre.org/tactics/TA0008T1021.003
Remote Services: Distributed Component Object Model
Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications as well as other Windows objects that contain insecure methods. DCOM can also execute macros in existing documents and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application, bypassing the need for a malicious document.
https://attack.mitre.org/techniques/T1021/003Server
Windows Sysmon via FortiSIEM Agent
Correlation
No remediation guidance specified
If the following pattern or patterns match an ingested event within the given time window in seconds, trigger an incident.
300 secondsIf the following defined pattern/s occur within a 300 second time window.
FilterThis is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.
This is the query logic that matches incoming events
eventType="Win-Sysmon-1-Create-Process" AND parentProcName REGEXP "\\mmc\.exe$" AND (procName REGEXP "\\bash\.exe$|\\cmd\.exe$|\\cscript\.exe$|\\powershell\.exe$|\\pwsh\.exe$|\\reg\.exe$|\\regsvr32\.exe$|\\sh\.exe$|\\wscript\.exe$" OR procName REGEXP ".*\\BITSADMIN.*")This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID
hostName,parentProcName,procNameThis is most typically a numerical constraint that defines when the rule should trigger an incident
COUNT(*) >= 1This section defines which fields in matching raw events should be mapped to the incident attributes in the resulting incident.
The available raw event attributes to map are limited to the group by attributes and the aggregate event constraint fields for each subpattern
hostName = Filter.hostName,
parentProcName = Filter.parentProcName,
procName = Filter.procName