Detect Distributed Component Object Model in IBM QRadar
Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). DCOM extends Windows COM (Component Object Model) beyond local machines using RPC, allowing remote method calls on COM objects. Adversaries with Administrator privileges can remotely obtain code execution through Office applications (Excel, Outlook), MMC20.Application, ShellWindows, and other insecure COM objects. Tools like Empire's Invoke-DCOM, Cobalt Strike, and SILENTTRINITY have built-in DCOM lateral movement capabilities. DCOM communicates over TCP port 135 (RPC endpoint mapper) and dynamically assigned high ports.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.003 Distributed Component Object Model
- Canonical reference
- https://attack.mitre.org/techniques/T1021/003/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS SourceIP,
destinationip AS DestinationIP,
username AS Username,
"Process Name" AS ProcessName,
"Parent Process Name" AS ParentProcessName,
"Command Line" AS CommandLine,
LOGSOURCETYPENAME(devicetype) AS LogSourceType,
CASE
WHEN LOWER("Process Name") LIKE '%dcomcnfg.exe' THEN 'DCOM_ConfigTool'
WHEN (LOWER("Parent Process Name") LIKE '%mmc.exe' OR LOWER("Parent Process Name") LIKE '%excel.exe'
OR LOWER("Parent Process Name") LIKE '%winword.exe' OR LOWER("Parent Process Name") LIKE '%outlook.exe'
OR LOWER("Parent Process Name") LIKE '%powerpnt.exe')
AND (LOWER("Process Name") LIKE '%cmd.exe' OR LOWER("Process Name") LIKE '%powershell.exe'
OR LOWER("Process Name") LIKE '%wscript.exe' OR LOWER("Process Name") LIKE '%cscript.exe'
OR LOWER("Process Name") LIKE '%mshta.exe' OR LOWER("Process Name") LIKE '%rundll32.exe')
THEN 'COM_SuspiciousChild'
WHEN "Command Line" ILIKE '%DCOM%' THEN 'DCOM_CommandLineRef'
ELSE 'DCOM_Other'
END AS DetectionPattern
FROM events
WHERE LOGSOURCETYPEID(devicetype) IN (12, 433)
AND (
(
(LOWER("Parent Process Name") LIKE '%mmc.exe'
OR LOWER("Parent Process Name") LIKE '%excel.exe'
OR LOWER("Parent Process Name") LIKE '%winword.exe'
OR LOWER("Parent Process Name") LIKE '%outlook.exe'
OR LOWER("Parent Process Name") LIKE '%powerpnt.exe')
AND
(LOWER("Process Name") LIKE '%cmd.exe'
OR LOWER("Process Name") LIKE '%powershell.exe'
OR LOWER("Process Name") LIKE '%wscript.exe'
OR LOWER("Process Name") LIKE '%cscript.exe'
OR LOWER("Process Name") LIKE '%mshta.exe'
OR LOWER("Process Name") LIKE '%rundll32.exe')
)
OR LOWER("Process Name") LIKE '%dcomcnfg.exe'
OR ("Command Line" ILIKE '%DCOM%' AND "Command Line" ILIKE '%-Exec%')
)
ORDER BY devicetime DESC
LAST 24 HOURSDetects DCOM lateral movement in IBM QRadar by querying Windows Sysmon (LOGSOURCETYPEID 433) and Windows Security (LOGSOURCETYPEID 12) events for suspicious child process spawning from COM host applications, direct dcomcnfg.exe execution, and DCOM-related command-line strings. The CASE expression classifies each event by detection pattern.
Data Sources
Required Tables
False Positives & Tuning
- Helpdesk or IT staff using mmc.exe (MMC snap-ins like Active Directory Users and Computers) that legitimately invoke PowerShell for scripted AD management
- Automated software testing frameworks that use Office COM automation to drive Excel or Word and spawn helper processes as part of regression test suites
- Backup and monitoring agents that use COM interfaces to launch cmd.exe child processes when collecting system state information on Windows servers
- Security awareness training platforms that demonstrate DCOM techniques in a sandboxed environment on training workstations
Other platforms for T1021.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DCOM Lateral Movement via MMC20.Application
Expected signal: Sysmon Event ID 1: powershell.exe process with MMC20.Application in command line. Sysmon Event ID 3: outbound connection to 127.0.0.1 on port 135 and dynamic RPC port. Sysmon Event ID 1 on target: mmc.exe spawning cmd.exe. Sysmon Event ID 11: dcom_test.txt file created in C:\Windows\Temp.
- Test 2DCOM Lateral Movement via ShellWindows
Expected signal: Sysmon Event ID 1: powershell.exe with CLSID 9BA05972 in command line. Sysmon Event ID 3: connection to 127.0.0.1:135. Sysmon Event ID 1: explorer.exe or svchost spawning cmd.exe on the target.
- Test 3Query DCOM Configuration via dcomcnfg
Expected signal: Sysmon Event ID 1: Process Create for dcomcnfg.exe. Security Event ID 4688 (if command-line auditing enabled). The process tree will show dcomcnfg.exe spawning mmc.exe as a child.
References (7)
- https://attack.mitre.org/techniques/T1021/003/
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
- https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md
- https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1
- https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model
Unlock Pro Content
Get the full detection package for T1021.003 including response playbook, investigation guide, and atomic red team tests.