T1021.003 Sumo Logic CSE · Sumo

Detect Distributed Component Object Model in Sumo Logic CSE

Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). DCOM extends Windows COM (Component Object Model) beyond local machines using RPC, allowing remote method calls on COM objects. Adversaries with Administrator privileges can remotely obtain code execution through Office applications (Excel, Outlook), MMC20.Application, ShellWindows, and other insecure COM objects. Tools like Empire's Invoke-DCOM, Cobalt Strike, and SILENTTRINITY have built-in DCOM lateral movement capabilities. DCOM communicates over TCP port 135 (RPC endpoint mapper) and dynamically assigned high ports.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.003 Distributed Component Object Model
Canonical reference
https://attack.mitre.org/techniques/T1021/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows/sysmon* OR _sourceCategory=*wineventlog*
| where EventCode = "1" OR EventCode = "4688"
| parse regex field=ParentImage "(?i)(?<ParentProcessName>[^\\\\]+)$" nodrop
| parse regex field=Image "(?i)(?<ChildProcessName>[^\\\\]+)$" nodrop
| toLowerCase(ParentProcessName) as parent_proc
| toLowerCase(ChildProcessName) as child_proc
| where (
    (
      parent_proc in ("mmc.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe", "visio.exe")
      AND child_proc in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
    )
    OR child_proc = "dcomcnfg.exe"
    OR (CommandLine matches "*DCOM*" AND CommandLine matches "*-Exec*")
  )
| if (child_proc = "dcomcnfg.exe", "DCOM_ConfigTool",
    if (parent_proc in ("mmc.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe"),
        "COM_SuspiciousChild", "DCOM_CommandLineRef")) as DetectionPattern
| count as EventCount by _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionPattern
| fields -EventCount
| sort by _messageTime desc
high severity high confidence

Detects DCOM lateral movement in Sumo Logic by parsing Windows Sysmon Event ID 1 or Security Event ID 4688 process creation logs for suspicious child processes spawned from known COM host applications. Extracts process names from full image paths using regex, then classifies findings into detection patterns. Requires Sysmon or Windows Security log source categories.

Data Sources

Sumo Logic Cloud SIEMWindows Sysmon (Sumo Logic Collector)Windows Security Event Log (Sumo Logic Collector)

Required Tables

_sourceCategory=*windows/sysmon*_sourceCategory=*wineventlog*

False Positives & Tuning

  • Enterprise software deployment via SCCM that uses Office COM objects to deliver or configure applications, spawning cmd.exe or PowerShell as child processes
  • Automated reporting systems in finance organizations where Excel macros legitimately spawn wscript.exe to process or export data files on schedule
  • IT operations tooling (e.g. Ansible WinRM modules, SaltStack) that uses mmc.exe as an entry point for remote configuration management tasks
  • Help desk remote support sessions using legitimate DCOM-based remote management tools that trigger these parent-child process relationships
Download portable Sigma rule (.yml)

Other platforms for T1021.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DCOM Lateral Movement via MMC20.Application

    Expected signal: Sysmon Event ID 1: powershell.exe process with MMC20.Application in command line. Sysmon Event ID 3: outbound connection to 127.0.0.1 on port 135 and dynamic RPC port. Sysmon Event ID 1 on target: mmc.exe spawning cmd.exe. Sysmon Event ID 11: dcom_test.txt file created in C:\Windows\Temp.

  2. Test 2DCOM Lateral Movement via ShellWindows

    Expected signal: Sysmon Event ID 1: powershell.exe with CLSID 9BA05972 in command line. Sysmon Event ID 3: connection to 127.0.0.1:135. Sysmon Event ID 1: explorer.exe or svchost spawning cmd.exe on the target.

  3. Test 3Query DCOM Configuration via dcomcnfg

    Expected signal: Sysmon Event ID 1: Process Create for dcomcnfg.exe. Security Event ID 4688 (if command-line auditing enabled). The process tree will show dcomcnfg.exe spawning mmc.exe as a child.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1021.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.007Cloud ServicesT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1047Windows Management InstrumentationT1559.001Component Object ModelT1175Component Object Model and Distributed COMT1021.002SMB/Windows Admin SharesT1059.001PowerShellT1055Process InjectionT1546.015Component Object Model Hijacking

Same Tactic: Lateral Movement

Popular Detections