DLLHost.exe WMIC domain discovery

Hunt Hypothesis

DLLHost.exe is being used by an adversary to execute WMIC commands for domain discovery, indicating potential lateral movement or reconnaissance activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent further network infiltration.

KQL Query

DeviceProcessEvents 
| where InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine == "dllhost.exe" 
| where ProcessCommandLine has "wmic computersystem get domain"

Analytic Rule Definition

id: dc612ff9-88ac-4968-97c1-6789cd48c5d8
name: DLLHost.exe WMIC domain discovery
description: |
  Identify dllhost.exe using WMIC to discover additional hosts and associated domain.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Reconnaissance
query: |   
  DeviceProcessEvents 
  | where InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine == "dllhost.exe" 
  | where ProcessCommandLine has "wmic computersystem get domain"

Required Data Sources

MITRE ATT&CK Context

• Tactic: Reconnaissance

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/DLLHost.exe WMIC domain discovery.yaml)

False Positive Guidance

• Scenario: Scheduled Task Using DLLHost.exe for Legitimate Process Monitoring
  Description: A scheduled task runs a script that uses dllhost.exe to monitor system processes or services.
  Filter/Exclusion: Exclude processes where dllhost.exe is launched by schtasks.exe or Task Scheduler with a known legitimate task name.

• Scenario: Microsoft Office Add-in or COM Component Initialization
  Description: dllhost.exe is used by Microsoft Office applications (e.g., Excel, Outlook) to host COM add-ins or components.
  Filter/Exclusion: Exclude processes where dllhost.exe is launched from an Office application (e.g., excel.exe, outlook.exe) or from the Microsoft Office directory.

• Scenario: Windows Update or System Maintenance Task
  Description: dllhost.exe is used by Windows Update or other system maintenance tools to perform background operations.
  Filter/Exclusion: Exclude processes where dllhost.exe is launched by wuauclt.exe or svchost.exe with a known system service name.

• Scenario: PowerShell Script Using COM Objects
  Description: A PowerShell script uses COM objects hosted by dllhost.exe to interact with system components or third-party applications.
  Filter/Exclusion: Exclude processes where dllhost.exe is launched by powershell.exe and the script path is known to be legitimate or whitelisted.

• Scenario: Antivirus or Security Software Integration
  Description: Security software may use dllhost.exe to host plugins or modules for real-time protection or threat detection.
  Filter/Exclusion: Exclude processes where dllhost.exe is launched by a known security vendor (e.g., McAfee, Kaspersky, Bitdefender) or