Detect Distributed Component Object Model in Google Chronicle
Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). DCOM extends Windows COM (Component Object Model) beyond local machines using RPC, allowing remote method calls on COM objects. Adversaries with Administrator privileges can remotely obtain code execution through Office applications (Excel, Outlook), MMC20.Application, ShellWindows, and other insecure COM objects. Tools like Empire's Invoke-DCOM, Cobalt Strike, and SILENTTRINITY have built-in DCOM lateral movement capabilities. DCOM communicates over TCP port 135 (RPC endpoint mapper) and dynamically assigned high ports.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.003 Distributed Component Object Model
- Canonical reference
- https://attack.mitre.org/techniques/T1021/003/
YARA-L Detection Query
rule t1021_003_dcom_lateral_movement {
meta:
author = "Detection Engineering"
description = "Detects DCOM lateral movement via suspicious process spawning from COM host processes (mmc.exe, Office apps), direct dcomcnfg.exe execution, and DCOM command-line references"
mitre_attack = "T1021.003"
mitre_tactic = "Lateral Movement"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1021/003/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
(
re.regex($e.principal.process.file.full_path, `(?i)(\\|/)?(mmc|excel|winword|outlook|powerpnt|visio)\.exe$`)
and
re.regex($e.target.process.file.full_path, `(?i)(\\|/)?(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$`)
)
or
re.regex($e.target.process.file.full_path, `(?i)(\\|/)?dcomcnfg\.exe$`)
or
(
re.regex($e.target.process.command_line, `(?i)DCOM`)
and
re.regex($e.target.process.command_line, `(?i)-Exec`)
)
)
outcome:
$detection_pattern = if(
re.regex($e.target.process.file.full_path, `(?i)dcomcnfg\.exe$`), "DCOM_ConfigTool",
re.regex($e.principal.process.file.full_path, `(?i)(mmc|excel|winword|outlook|powerpnt)\.exe$`), "COM_SuspiciousChild",
"DCOM_CommandLineRef"
)
$hostname = $e.principal.hostname
$username = $e.principal.user.userid
$child_process = $e.target.process.file.full_path
$command_line = $e.target.process.command_line
$parent_process = $e.principal.process.file.full_path
condition:
$e
}Chronicle YARA-L 2.0 rule detecting DCOM lateral movement via the UDM PROCESS_LAUNCH event type. Matches suspicious child processes spawned from known COM host applications, direct execution of dcomcnfg.exe, and DCOM-themed command-line references. Outcome variables surface hostname, username, process paths, and a classified detection pattern for alert enrichment.
Data Sources
Required Tables
False Positives & Tuning
- Microsoft Endpoint Configuration Manager (SCCM/MECM) task sequences that use Office COM automation to run PowerShell scripts as part of application installation packages
- Legitimate administrative scripts executed by IT staff that invoke dcomcnfg.exe to review or document DCOM component configurations during hardening audits
- Enterprise monitoring agents (e.g. SolarWinds, PRTG) that use COM objects within mmc.exe context to collect Windows management data and spawn cmd.exe for WMI queries
- Developer workstations running Visual Studio or Office development tools that spawn script hosts as child processes during COM add-in debugging sessions
Other platforms for T1021.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DCOM Lateral Movement via MMC20.Application
Expected signal: Sysmon Event ID 1: powershell.exe process with MMC20.Application in command line. Sysmon Event ID 3: outbound connection to 127.0.0.1 on port 135 and dynamic RPC port. Sysmon Event ID 1 on target: mmc.exe spawning cmd.exe. Sysmon Event ID 11: dcom_test.txt file created in C:\Windows\Temp.
- Test 2DCOM Lateral Movement via ShellWindows
Expected signal: Sysmon Event ID 1: powershell.exe with CLSID 9BA05972 in command line. Sysmon Event ID 3: connection to 127.0.0.1:135. Sysmon Event ID 1: explorer.exe or svchost spawning cmd.exe on the target.
- Test 3Query DCOM Configuration via dcomcnfg
Expected signal: Sysmon Event ID 1: Process Create for dcomcnfg.exe. Security Event ID 4688 (if command-line auditing enabled). The process tree will show dcomcnfg.exe spawning mmc.exe as a child.
References (7)
- https://attack.mitre.org/techniques/T1021/003/
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
- https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md
- https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1
- https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model
Unlock Pro Content
Get the full detection package for T1021.003 including response playbook, investigation guide, and atomic red team tests.