T1021.003 Distributed Component Object Model Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect DCOM lateral movement via process spawning from COM host processes
let DcomLaunchParents = dynamic(["mmc.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe", "visio.exe"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
// Pattern 1: Suspicious child processes from DCOM/COM hosts
| where InitiatingProcessFileName has_any (DcomLaunchParents)
| where FileName has_any (SuspiciousChildren)
| extend Pattern = "COM_SuspiciousChild"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, Pattern
| union (
    // Pattern 2: MMC20 DCOM lateral movement (shellexecute via MMC)
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where InitiatingProcessFileName =~ "mmc.exe"
    | where FileName =~ "cmd.exe" or FileName =~ "powershell.exe"
    | extend Pattern = "MMC20_DCOM"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine, Pattern
)
| union (
    // Pattern 3: dcomcnfg.exe execution (DCOM config tool)
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "dcomcnfg.exe"
    | extend Pattern = "DCOM_ConfigTool"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine, Pattern
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate administrative scripts using DCOM to manage remote systems via WMI (IT automation tools like Ansible, SCCM)
Office applications launching helper processes during document processing or macro execution for legitimate business use
MMC snap-ins spawning cmd.exe for legitimate administrative tasks by IT staff
Software developers testing DCOM-based applications or COM server registration
Monitoring tools that use COM automation to collect system information

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (ParentImage="*\\mmc.exe" OR ParentImage="*\\excel.exe" OR ParentImage="*\\winword.exe" OR ParentImage="*\\outlook.exe" OR ParentImage="*\\powerpnt.exe")
  AND
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe" OR Image="*\\rundll32.exe")
)
OR
(
  Image="*\\dcomcnfg.exe"
)
OR
(
  CommandLine="*-Exec*" AND CommandLine="*DCOM*"
)
| eval DetectionPattern=case(
    match(ParentImage, "(mmc|excel|winword|outlook|powerpnt)") AND match(Image, "(cmd|powershell|wscript|cscript|mshta|rundll32)"), "COM_SuspiciousChild",
    match(Image, "dcomcnfg"), "DCOM_ConfigTool",
    match(CommandLine, "DCOM"), "DCOM_CommandLineRef",
    true(), "DCOM_Other"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionPattern
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Sysmon Event ID 1 (Process Create)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate administrative scripts using DCOM/WMI for remote management
Office applications launching helper processes for legitimate macro execution
MMC snap-ins spawning cmd.exe for administrative tasks
Software developers testing DCOM-based applications
Monitoring tools using COM automation

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  (
    process.parent.name in~ ("mmc.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe", "visio.exe") and
    process.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
  ) or
  process.name == "dcomcnfg.exe" or
  (
    process.command_line : "*DCOM*" and process.command_line : "*-Exec*"
  )
)

high severity high confidence

Data Sources

Elastic Agent (Windows) Winlogbeat with Sysmon Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-system.security-*

False Positives

Legitimate IT administrators using mmc.exe to spawn PowerShell for authorized remote management tasks on managed endpoints
Security tools or EDR agents that use COM automation to invoke cmd.exe or PowerShell as part of scheduled scans or remediation workflows
Software deployment platforms (SCCM, Intune) that legitimately leverage Office application COM interfaces to run scripts during patch cycles
Excel macro-based automation in finance or operations environments where Excel spawns wscript.exe or cmd.exe for approved business logic

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  username AS Username,
  "Process Name" AS ProcessName,
  "Parent Process Name" AS ParentProcessName,
  "Command Line" AS CommandLine,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  CASE
    WHEN LOWER("Process Name") LIKE '%dcomcnfg.exe' THEN 'DCOM_ConfigTool'
    WHEN (LOWER("Parent Process Name") LIKE '%mmc.exe' OR LOWER("Parent Process Name") LIKE '%excel.exe'
          OR LOWER("Parent Process Name") LIKE '%winword.exe' OR LOWER("Parent Process Name") LIKE '%outlook.exe'
          OR LOWER("Parent Process Name") LIKE '%powerpnt.exe')
         AND (LOWER("Process Name") LIKE '%cmd.exe' OR LOWER("Process Name") LIKE '%powershell.exe'
              OR LOWER("Process Name") LIKE '%wscript.exe' OR LOWER("Process Name") LIKE '%cscript.exe'
              OR LOWER("Process Name") LIKE '%mshta.exe' OR LOWER("Process Name") LIKE '%rundll32.exe')
         THEN 'COM_SuspiciousChild'
    WHEN "Command Line" ILIKE '%DCOM%' THEN 'DCOM_CommandLineRef'
    ELSE 'DCOM_Other'
  END AS DetectionPattern
FROM events
WHERE LOGSOURCETYPEID(devicetype) IN (12, 433)
  AND (
    (
      (LOWER("Parent Process Name") LIKE '%mmc.exe'
        OR LOWER("Parent Process Name") LIKE '%excel.exe'
        OR LOWER("Parent Process Name") LIKE '%winword.exe'
        OR LOWER("Parent Process Name") LIKE '%outlook.exe'
        OR LOWER("Parent Process Name") LIKE '%powerpnt.exe')
      AND
      (LOWER("Process Name") LIKE '%cmd.exe'
        OR LOWER("Process Name") LIKE '%powershell.exe'
        OR LOWER("Process Name") LIKE '%wscript.exe'
        OR LOWER("Process Name") LIKE '%cscript.exe'
        OR LOWER("Process Name") LIKE '%mshta.exe'
        OR LOWER("Process Name") LIKE '%rundll32.exe')
    )
    OR LOWER("Process Name") LIKE '%dcomcnfg.exe'
    OR ("Command Line" ILIKE '%DCOM%' AND "Command Line" ILIKE '%-Exec%')
  )
ORDER BY devicetime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

IBM QRadar SIEM Windows Sysmon via QRadar DSM Windows Security Event Log via QRadar DSM

Required Tables

events

False Positives

Helpdesk or IT staff using mmc.exe (MMC snap-ins like Active Directory Users and Computers) that legitimately invoke PowerShell for scripted AD management
Automated software testing frameworks that use Office COM automation to drive Excel or Word and spawn helper processes as part of regression test suites
Backup and monitoring agents that use COM interfaces to launch cmd.exe child processes when collecting system state information on Windows servers
Security awareness training platforms that demonstrate DCOM techniques in a sandboxed environment on training workstations

Sumo Logic CSE

sql

_sourceCategory=*windows/sysmon* OR _sourceCategory=*wineventlog*
| where EventCode = "1" OR EventCode = "4688"
| parse regex field=ParentImage "(?i)(?<ParentProcessName>[^\\\\]+)$" nodrop
| parse regex field=Image "(?i)(?<ChildProcessName>[^\\\\]+)$" nodrop
| toLowerCase(ParentProcessName) as parent_proc
| toLowerCase(ChildProcessName) as child_proc
| where (
    (
      parent_proc in ("mmc.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe", "visio.exe")
      AND child_proc in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
    )
    OR child_proc = "dcomcnfg.exe"
    OR (CommandLine matches "*DCOM*" AND CommandLine matches "*-Exec*")
  )
| if (child_proc = "dcomcnfg.exe", "DCOM_ConfigTool",
    if (parent_proc in ("mmc.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe"),
        "COM_SuspiciousChild", "DCOM_CommandLineRef")) as DetectionPattern
| count as EventCount by _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionPattern
| fields -EventCount
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon (Sumo Logic Collector) Windows Security Event Log (Sumo Logic Collector)

Required Tables

_sourceCategory=*windows/sysmon* _sourceCategory=*wineventlog*

False Positives

Enterprise software deployment via SCCM that uses Office COM objects to deliver or configure applications, spawning cmd.exe or PowerShell as child processes
Automated reporting systems in finance organizations where Excel macros legitimately spawn wscript.exe to process or export data files on schedule
IT operations tooling (e.g. Ansible WinRM modules, SaltStack) that uses mmc.exe as an entry point for remote configuration management tasks
Help desk remote support sessions using legitimate DCOM-based remote management tools that trigger these parent-child process relationships

Google Chronicle / SecOps

yaral

rule t1021_003_dcom_lateral_movement {
  meta:
    author = "Detection Engineering"
    description = "Detects DCOM lateral movement via suspicious process spawning from COM host processes (mmc.exe, Office apps), direct dcomcnfg.exe execution, and DCOM command-line references"
    mitre_attack = "T1021.003"
    mitre_tactic = "Lateral Movement"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1021/003/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\|/)?(mmc|excel|winword|outlook|powerpnt|visio)\.exe$`)
        and
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)?(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$`)
      )
      or
      re.regex($e.target.process.file.full_path, `(?i)(\\|/)?dcomcnfg\.exe$`)
      or
      (
        re.regex($e.target.process.command_line, `(?i)DCOM`)
        and
        re.regex($e.target.process.command_line, `(?i)-Exec`)
      )
    )

  outcome:
    $detection_pattern = if(
      re.regex($e.target.process.file.full_path, `(?i)dcomcnfg\.exe$`), "DCOM_ConfigTool",
      re.regex($e.principal.process.file.full_path, `(?i)(mmc|excel|winword|outlook|powerpnt)\.exe$`), "COM_SuspiciousChild",
      "DCOM_CommandLineRef"
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $child_process = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Sysmon via Chronicle forwarder Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM events (PROCESS_LAUNCH)

False Positives

Microsoft Endpoint Configuration Manager (SCCM/MECM) task sequences that use Office COM automation to run PowerShell scripts as part of application installation packages
Legitimate administrative scripts executed by IT staff that invoke dcomcnfg.exe to review or document DCOM component configurations during hardening audits
Enterprise monitoring agents (e.g. SolarWinds, PRTG) that use COM objects within mmc.exe context to collect Windows management data and spawn cmd.exe for WMI queries
Developer workstations running Visual Studio or Office development tools that spawn script hosts as child processes during COM add-in debugging sessions

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName := lower(ParentBaseFileName)
| FileName := lower(FileName)
| dcom_parent := ParentBaseFileName in ("mmc.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe", "visio.exe")
| suspicious_child := FileName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
| dcom_config_tool := FileName = "dcomcnfg.exe"
| dcom_cmdline := CommandLine = /(?i)DCOM/ AND CommandLine = /(?i)-Exec/
| where dcom_parent AND suspicious_child OR dcom_config_tool OR dcom_cmdline
| DetectionPattern := case {
    dcom_config_tool => "DCOM_ConfigTool",
    dcom_parent AND suspicious_child => "COM_SuspiciousChild",
    dcom_cmdline => "DCOM_CommandLineRef",
    * => "DCOM_Other"
  }
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionPattern])
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Platform CrowdStrike LogScale (Humio) Falcon ProcessRollup2 telemetry

Required Tables

#event_simpleName=ProcessRollup2

False Positives

CrowdStrike Falcon Real Time Response (RTR) sessions where an analyst remotely launches PowerShell or cmd.exe from an Office application context during live incident response
Patch management tooling (Tanium, BigFix) that uses COM automation via mmc.exe or Office applications to execute remediation scripts on managed endpoints
Legitimate use of dcomcnfg.exe by system administrators performing DCOM permission hardening or CIS benchmark remediation on Windows Server infrastructure
Automated testing pipelines on CI/CD build agents running Windows where Excel COM objects are used to validate spreadsheet output and spawn helper scripts

Distributed Component Object Model

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Lateral Movement

Popular Detections