T1021.003 Splunk · SPL

Detect Distributed Component Object Model in Splunk

Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). DCOM extends Windows COM (Component Object Model) beyond local machines using RPC, allowing remote method calls on COM objects. Adversaries with Administrator privileges can remotely obtain code execution through Office applications (Excel, Outlook), MMC20.Application, ShellWindows, and other insecure COM objects. Tools like Empire's Invoke-DCOM, Cobalt Strike, and SILENTTRINITY have built-in DCOM lateral movement capabilities. DCOM communicates over TCP port 135 (RPC endpoint mapper) and dynamically assigned high ports.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.003 Distributed Component Object Model
Canonical reference
https://attack.mitre.org/techniques/T1021/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (ParentImage="*\\mmc.exe" OR ParentImage="*\\excel.exe" OR ParentImage="*\\winword.exe" OR ParentImage="*\\outlook.exe" OR ParentImage="*\\powerpnt.exe")
  AND
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe" OR Image="*\\rundll32.exe")
)
OR
(
  Image="*\\dcomcnfg.exe"
)
OR
(
  CommandLine="*-Exec*" AND CommandLine="*DCOM*"
)
| eval DetectionPattern=case(
    match(ParentImage, "(mmc|excel|winword|outlook|powerpnt)") AND match(Image, "(cmd|powershell|wscript|cscript|mshta|rundll32)"), "COM_SuspiciousChild",
    match(Image, "dcomcnfg"), "DCOM_ConfigTool",
    match(CommandLine, "DCOM"), "DCOM_CommandLineRef",
    true(), "DCOM_Other"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionPattern
| sort - _time
high severity medium confidence

Detects DCOM lateral movement patterns using Sysmon Event ID 1. Monitors for suspicious child processes spawned from Office applications and MMC (common DCOM lateral movement vectors), dcomcnfg.exe configuration tool execution, and command lines referencing DCOM. The DetectionPattern field classifies the specific detection category.

Data Sources

Process: Process CreationSysmon Event ID 1 (Process Create)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate administrative scripts using DCOM/WMI for remote management
  • Office applications launching helper processes for legitimate macro execution
  • MMC snap-ins spawning cmd.exe for administrative tasks
  • Software developers testing DCOM-based applications
  • Monitoring tools using COM automation
Download portable Sigma rule (.yml)

Other platforms for T1021.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DCOM Lateral Movement via MMC20.Application

    Expected signal: Sysmon Event ID 1: powershell.exe process with MMC20.Application in command line. Sysmon Event ID 3: outbound connection to 127.0.0.1 on port 135 and dynamic RPC port. Sysmon Event ID 1 on target: mmc.exe spawning cmd.exe. Sysmon Event ID 11: dcom_test.txt file created in C:\Windows\Temp.

  2. Test 2DCOM Lateral Movement via ShellWindows

    Expected signal: Sysmon Event ID 1: powershell.exe with CLSID 9BA05972 in command line. Sysmon Event ID 3: connection to 127.0.0.1:135. Sysmon Event ID 1: explorer.exe or svchost spawning cmd.exe on the target.

  3. Test 3Query DCOM Configuration via dcomcnfg

    Expected signal: Sysmon Event ID 1: Process Create for dcomcnfg.exe. Security Event ID 4688 (if command-line auditing enabled). The process tree will show dcomcnfg.exe spawning mmc.exe as a child.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1021.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.007Cloud ServicesT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1047Windows Management InstrumentationT1559.001Component Object ModelT1175Component Object Model and Distributed COMT1021.002SMB/Windows Admin SharesT1059.001PowerShellT1055Process InjectionT1546.015Component Object Model Hijacking

Same Tactic: Lateral Movement

Popular Detections