T1021.003 Elastic Security · Elastic

Detect Distributed Component Object Model in Elastic Security

Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). DCOM extends Windows COM (Component Object Model) beyond local machines using RPC, allowing remote method calls on COM objects. Adversaries with Administrator privileges can remotely obtain code execution through Office applications (Excel, Outlook), MMC20.Application, ShellWindows, and other insecure COM objects. Tools like Empire's Invoke-DCOM, Cobalt Strike, and SILENTTRINITY have built-in DCOM lateral movement capabilities. DCOM communicates over TCP port 135 (RPC endpoint mapper) and dynamically assigned high ports.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.003 Distributed Component Object Model
Canonical reference
https://attack.mitre.org/techniques/T1021/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and
(
  (
    process.parent.name in~ ("mmc.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe", "visio.exe") and
    process.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
  ) or
  process.name == "dcomcnfg.exe" or
  (
    process.command_line : "*DCOM*" and process.command_line : "*-Exec*"
  )
)
high severity high confidence

Detects DCOM lateral movement by identifying suspicious child processes spawned from COM host applications (mmc.exe, Office apps), direct execution of the DCOM configuration tool, and command-line references to DCOM execution. Uses Elastic Common Schema (ECS) process fields against Winlogbeat or Elastic Agent Sysmon data.

Data Sources

Elastic Agent (Windows)Winlogbeat with SysmonElastic Endpoint Security

Required Tables

logs-endpoint.events.process-*winlogbeat-*.ds-logs-system.security-*

False Positives & Tuning

  • Legitimate IT administrators using mmc.exe to spawn PowerShell for authorized remote management tasks on managed endpoints
  • Security tools or EDR agents that use COM automation to invoke cmd.exe or PowerShell as part of scheduled scans or remediation workflows
  • Software deployment platforms (SCCM, Intune) that legitimately leverage Office application COM interfaces to run scripts during patch cycles
  • Excel macro-based automation in finance or operations environments where Excel spawns wscript.exe or cmd.exe for approved business logic
Download portable Sigma rule (.yml)

Other platforms for T1021.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DCOM Lateral Movement via MMC20.Application

    Expected signal: Sysmon Event ID 1: powershell.exe process with MMC20.Application in command line. Sysmon Event ID 3: outbound connection to 127.0.0.1 on port 135 and dynamic RPC port. Sysmon Event ID 1 on target: mmc.exe spawning cmd.exe. Sysmon Event ID 11: dcom_test.txt file created in C:\Windows\Temp.

  2. Test 2DCOM Lateral Movement via ShellWindows

    Expected signal: Sysmon Event ID 1: powershell.exe with CLSID 9BA05972 in command line. Sysmon Event ID 3: connection to 127.0.0.1:135. Sysmon Event ID 1: explorer.exe or svchost spawning cmd.exe on the target.

  3. Test 3Query DCOM Configuration via dcomcnfg

    Expected signal: Sysmon Event ID 1: Process Create for dcomcnfg.exe. Security Event ID 4688 (if command-line auditing enabled). The process tree will show dcomcnfg.exe spawning mmc.exe as a child.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1021.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.007Cloud ServicesT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1047Windows Management InstrumentationT1559.001Component Object ModelT1175Component Object Model and Distributed COMT1021.002SMB/Windows Admin SharesT1059.001PowerShellT1055Process InjectionT1546.015Component Object Model Hijacking

Same Tactic: Lateral Movement

Popular Detections