Listen to this Post
Introduction:
Lateral movement remains a critical phase in cyber attacks, allowing adversaries to expand their foothold within compromised networks. A sophisticated technique leveraging ODBC driver installations over DCOM via Windows Installer Custom Actions has emerged, bypassing traditional detection mechanisms. This article dissects this stealthy attack vector and provides comprehensive detection strategies using KQL and advanced security monitoring.
Learning Objectives:
- Understand the technical mechanics of DCOM-based lateral movement using MSI packages
- Master KQL detection queries for identifying suspicious ODBC driver installation activity
- Implement multi-layered monitoring strategies for Windows Installer-based attacks
You Should Know:
1. DCOM Lateral Movement Fundamentals
The Distributed Component Object Model (DCOM) enables communication between software components across networked computers. Attackers abuse this legitimate functionality to execute remote code through specially crafted MSI packages containing malicious custom actions.
// Detect DCOM activation attempts targeting remote systems DeviceProcessEvents | where InitiatingProcessParentFileName == "svchost.exe" | where InitiatingProcessCommandLine contains "DCOM" | where ProcessCommandLine contains "msiexec" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine
This query identifies DCOM activation processes that spawn msiexec, potentially indicating lateral movement attempts. Monitor for unusual parent-child relationships between DCOM hosts and Windows Installer processes.
2. Windows Installer Custom Action Analysis
Custom actions within MSI packages can execute arbitrary code during installation. Attackers embed malicious scripts or binaries that run with elevated privileges during the ODBC driver installation process.
// Monitor for MSI executions with remote file operations DeviceFileEvents | where InitiatingProcessFileName == "msiexec.exe" | where ActionType == "FileCreated" | where FileName endswith ".dll" or FileName endswith ".exe" | where FolderPath contains "ODBC" | project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine
This detection identifies file creations by msiexec in ODBC directories, which may indicate driver installation attempts. Focus on non-standard paths and unusual file timestamps.
3. Network Connection Correlation
Successful lateral movement establishes network connections between systems. Correlating MSI executions with inbound connections provides strong indicators of compromise.
// Correlate MSI executions with network connections DeviceProcessEvents | where InitiatingProcessFileName == "msiexec.exe" | project DeviceId, ProcessUniqueId, TimeGenerated | join kind=inner ( DeviceNetworkEvents | where RemoteIP startswith "10." or RemoteIP startswith "192.168." | where ActionType == "ConnectionSuccess" ) on DeviceId | where TimeGenerated between (processEvents.TimeGenerated .. processEvents.TimeGenerated + 5m)
This query links MSI executions with subsequent network connections within a 5-minute window, identifying potential lateral movement success.
4. ODBC Driver Registry Modification Detection
ODBC driver installations modify specific registry keys that can be monitored for suspicious activity.
Monitor ODBC driver registry modifications
Get-WinEvent -FilterHashtable @{LogName='Security'; ID='4657'} |
Where-Object {$<em>.Message -like "ODBC" -and $</em>.Message -like "Driver"} |
ForEach-Object {
Write-Host "Suspicious ODBC registry modification detected: $($<em>.TimeCreated)"
Write-Host "Details: $($</em>.Message)"
}
This PowerShell script monitors Security event log for ODBC-related registry modifications, which often accompany driver installations used in lateral movement.
5. Process Injection via Custom Actions
Malicious custom actions often inject code into legitimate processes to evade detection.
// Detect process injection from msiexec DeviceImageLoadEvents | where InitiatingProcessFileName == "msiexec.exe" | where FileName endswith ".dll" | where not (FolderPath contains "Microsoft" or FolderPath contains "Windows") | summarize LoadCount = count() by DeviceName, FolderPath, FileName | where LoadCount > 5
This query identifies unusual DLL loads initiated by msiexec, potentially indicating process injection attempts through custom actions.
6. Scheduled Task Persistence Detection
Attackers often use MSI custom actions to create scheduled tasks for persistence.
// Detect scheduled task creation via MSI DeviceProcessEvents | where InitiatingProcessFileName == "msiexec.exe" | where ProcessCommandLine contains "schtasks" or ProcessCommandLine contains "at.exe" | project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine
Monitor for task scheduling commands executed by msiexec, which may indicate persistence mechanism deployment.
7. Advanced KQL Correlation Query
Comprehensive detection combining multiple telemetry sources for high-fidelity alerts.
// Comprehensive lateral movement detection DeviceProcessEvents | where InitiatingProcessParentFileName == "services.exe" | where InitiatingProcessFileName == "msiexec.exe" | where FileName == "msiexec.exe" | project DeviceId, DeviceName, ProcessUniqueId, TimeGenerated | join kind=inner ( DeviceNetworkEvents | where ActionType == "InboundConnectionAccepted" | where InitiatingProcessFileName == "msiexec.exe" | distinct DeviceId, RemoteIP ) on DeviceId | join kind=inner ( DeviceImageLoadEvents | where FileName endswith ".dll" | where not (FolderPath contains "System32") ) on $left.ProcessUniqueId == $right.InitiatingProcessUniqueId | project-reorder TimeGenerated, DeviceName, RemoteIP, FolderPath, FileName | summarize EventCount = count() by DeviceName, RemoteIP, bin(TimeGenerated, 1h)
This advanced query correlates process creation, network connections, and image loads to identify complex attack chains with high confidence.
What Undercode Say:
- Evasion Sophistication: This technique demonstrates advanced evasion by leveraging legitimate Windows components that typically bypass security monitoring and application allowlisting solutions.
- Detection Gap Exploitation: Attackers specifically target registry keys and processes not monitored by default in MDE, highlighting critical visibility gaps in enterprise security postures.
The DCOM-based lateral movement using MSI custom actions represents a significant evolution in attack tradecraft. By abusing legitimate Windows installation mechanisms, attackers achieve stealthy movement that blends with normal administrative activity. The technical sophistication lies in the multi-stage execution chain that separates the initial access from the payload delivery, making traditional IOC-based detection ineffective. Security teams must implement behavioral analytics and cross-telemetry correlation to detect these advanced techniques, focusing on anomalous process relationships and timing analysis rather than static indicators.
Prediction:
This attack methodology will rapidly evolve into automated exploitation frameworks, with threat actors developing specialized MSI packages for various lateral movement scenarios. Within 12-18 months, we anticipate seeing commodity malware incorporating these techniques, while advanced persistent threats will develop even more sophisticated variants that leverage cloud-based DCOM alternatives. The security industry will respond with enhanced monitoring for Windows Installer activities and behavioral detection for ODBC driver manipulations, but the fundamental trust in Microsoft installation mechanisms will continue to present challenges for defenders.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mehmetergene Threathunting – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
