T1021.003 Microsoft Sentinel · KQL

Detect Distributed Component Object Model in Microsoft Sentinel

Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). DCOM extends Windows COM (Component Object Model) beyond local machines using RPC, allowing remote method calls on COM objects. Adversaries with Administrator privileges can remotely obtain code execution through Office applications (Excel, Outlook), MMC20.Application, ShellWindows, and other insecure COM objects. Tools like Empire's Invoke-DCOM, Cobalt Strike, and SILENTTRINITY have built-in DCOM lateral movement capabilities. DCOM communicates over TCP port 135 (RPC endpoint mapper) and dynamically assigned high ports.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.003 Distributed Component Object Model
Canonical reference
https://attack.mitre.org/techniques/T1021/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect DCOM lateral movement via process spawning from COM host processes
let DcomLaunchParents = dynamic(["mmc.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe", "visio.exe"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
// Pattern 1: Suspicious child processes from DCOM/COM hosts
| where InitiatingProcessFileName has_any (DcomLaunchParents)
| where FileName has_any (SuspiciousChildren)
| extend Pattern = "COM_SuspiciousChild"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, Pattern
| union (
    // Pattern 2: MMC20 DCOM lateral movement (shellexecute via MMC)
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where InitiatingProcessFileName =~ "mmc.exe"
    | where FileName =~ "cmd.exe" or FileName =~ "powershell.exe"
    | extend Pattern = "MMC20_DCOM"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine, Pattern
)
| union (
    // Pattern 3: dcomcnfg.exe execution (DCOM config tool)
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "dcomcnfg.exe"
    | extend Pattern = "DCOM_ConfigTool"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine, Pattern
)
| sort by Timestamp desc
high severity medium confidence

Detects DCOM lateral movement by monitoring for suspicious child process spawning from COM-capable applications (MMC, Office apps), direct use of dcomcnfg.exe configuration tool, and known DCOM lateral movement patterns. DCOM execution typically results in cmd.exe, powershell.exe, or other interpreters being spawned by COM host processes on the remote machine.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • Legitimate administrative scripts using DCOM to manage remote systems via WMI (IT automation tools like Ansible, SCCM)
  • Office applications launching helper processes during document processing or macro execution for legitimate business use
  • MMC snap-ins spawning cmd.exe for legitimate administrative tasks by IT staff
  • Software developers testing DCOM-based applications or COM server registration
  • Monitoring tools that use COM automation to collect system information
Download portable Sigma rule (.yml)

Other platforms for T1021.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DCOM Lateral Movement via MMC20.Application

    Expected signal: Sysmon Event ID 1: powershell.exe process with MMC20.Application in command line. Sysmon Event ID 3: outbound connection to 127.0.0.1 on port 135 and dynamic RPC port. Sysmon Event ID 1 on target: mmc.exe spawning cmd.exe. Sysmon Event ID 11: dcom_test.txt file created in C:\Windows\Temp.

  2. Test 2DCOM Lateral Movement via ShellWindows

    Expected signal: Sysmon Event ID 1: powershell.exe with CLSID 9BA05972 in command line. Sysmon Event ID 3: connection to 127.0.0.1:135. Sysmon Event ID 1: explorer.exe or svchost spawning cmd.exe on the target.

  3. Test 3Query DCOM Configuration via dcomcnfg

    Expected signal: Sysmon Event ID 1: Process Create for dcomcnfg.exe. Security Event ID 4688 (if command-line auditing enabled). The process tree will show dcomcnfg.exe spawning mmc.exe as a child.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1021.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.007Cloud ServicesT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1047Windows Management InstrumentationT1559.001Component Object ModelT1175Component Object Model and Distributed COMT1021.002SMB/Windows Admin SharesT1059.001PowerShellT1055Process InjectionT1546.015Component Object Model Hijacking

Same Tactic: Lateral Movement

Popular Detections