T1021.003 CrowdStrike LogScale · LogScale

Detect Distributed Component Object Model in CrowdStrike LogScale

Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). DCOM extends Windows COM (Component Object Model) beyond local machines using RPC, allowing remote method calls on COM objects. Adversaries with Administrator privileges can remotely obtain code execution through Office applications (Excel, Outlook), MMC20.Application, ShellWindows, and other insecure COM objects. Tools like Empire's Invoke-DCOM, Cobalt Strike, and SILENTTRINITY have built-in DCOM lateral movement capabilities. DCOM communicates over TCP port 135 (RPC endpoint mapper) and dynamically assigned high ports.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.003 Distributed Component Object Model
Canonical reference
https://attack.mitre.org/techniques/T1021/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ParentBaseFileName := lower(ParentBaseFileName)
| FileName := lower(FileName)
| dcom_parent := ParentBaseFileName in ("mmc.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe", "visio.exe")
| suspicious_child := FileName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
| dcom_config_tool := FileName = "dcomcnfg.exe"
| dcom_cmdline := CommandLine = /(?i)DCOM/ AND CommandLine = /(?i)-Exec/
| where dcom_parent AND suspicious_child OR dcom_config_tool OR dcom_cmdline
| DetectionPattern := case {
    dcom_config_tool => "DCOM_ConfigTool",
    dcom_parent AND suspicious_child => "COM_SuspiciousChild",
    dcom_cmdline => "DCOM_CommandLineRef",
    * => "DCOM_Other"
  }
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionPattern])
| sort(@timestamp, order=desc)
high severity high confidence

CrowdStrike LogScale (Falcon SIEM) detection for DCOM lateral movement using ProcessRollup2 telemetry from the Falcon sensor. Normalizes process names to lowercase, evaluates COM host parent/suspicious child combinations, dcomcnfg.exe execution, and DCOM command-line patterns. Outputs a classified detection pattern alongside process context for analyst triage.

Data Sources

CrowdStrike Falcon PlatformCrowdStrike LogScale (Humio)Falcon ProcessRollup2 telemetry

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • CrowdStrike Falcon Real Time Response (RTR) sessions where an analyst remotely launches PowerShell or cmd.exe from an Office application context during live incident response
  • Patch management tooling (Tanium, BigFix) that uses COM automation via mmc.exe or Office applications to execute remediation scripts on managed endpoints
  • Legitimate use of dcomcnfg.exe by system administrators performing DCOM permission hardening or CIS benchmark remediation on Windows Server infrastructure
  • Automated testing pipelines on CI/CD build agents running Windows where Excel COM objects are used to validate spreadsheet output and spawn helper scripts
Download portable Sigma rule (.yml)

Other platforms for T1021.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DCOM Lateral Movement via MMC20.Application

    Expected signal: Sysmon Event ID 1: powershell.exe process with MMC20.Application in command line. Sysmon Event ID 3: outbound connection to 127.0.0.1 on port 135 and dynamic RPC port. Sysmon Event ID 1 on target: mmc.exe spawning cmd.exe. Sysmon Event ID 11: dcom_test.txt file created in C:\Windows\Temp.

  2. Test 2DCOM Lateral Movement via ShellWindows

    Expected signal: Sysmon Event ID 1: powershell.exe with CLSID 9BA05972 in command line. Sysmon Event ID 3: connection to 127.0.0.1:135. Sysmon Event ID 1: explorer.exe or svchost spawning cmd.exe on the target.

  3. Test 3Query DCOM Configuration via dcomcnfg

    Expected signal: Sysmon Event ID 1: Process Create for dcomcnfg.exe. Security Event ID 4688 (if command-line auditing enabled). The process tree will show dcomcnfg.exe spawning mmc.exe as a child.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1021.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.007Cloud ServicesT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1047Windows Management InstrumentationT1559.001Component Object ModelT1175Component Object Model and Distributed COMT1021.002SMB/Windows Admin SharesT1059.001PowerShellT1055Process InjectionT1546.015Component Object Model Hijacking

Same Tactic: Lateral Movement

Popular Detections