Which SIEM platforms have a T1175 detection rule?

df00tech provides T1175 (Component Object Model and Distributed COM) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Component Object Model and Distributed COM (T1175)?

Detecting Component Object Model and Distributed COM requires the following data sources: Process: Process Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1175 detection?

The T1175 detection is rated high severity with medium confidence.

What are common false positives for T1175?

Common false positives for T1175 include: Legitimate IT administration tools using MMC snap-ins that internally spawn helper processes for managed operations (disk management, event viewer, device manager); Software installation packages activating COM servers via dllhost.exe as part of normal registration workflows (MSI installers, COM+ application setup); Microsoft Office macros performing legitimate document automation that spawn helper processes such as mail merge or report generation scripts.

T1175

Component Object Model and Distributed COM

Lateral Movement Execution Last updated: April 18, 2026

Adversaries may abuse the Windows Component Object Model (COM) and Distributed Component Object Model (DCOM) for local code execution or to move laterally across a network. This deprecated technique encompasses both local COM abuse (now T1559.001) and DCOM-based lateral movement (now T1021.003). COM is a native Windows API component enabling interaction between software objects through well-defined interfaces; DCOM extends this functionality over a network via RPC. Adversaries exploit COM interfaces to invoke arbitrary code execution through C++, Java, VBScript, and PowerShell. For DCOM lateral movement, privileged users can remotely activate objects such as MMC20.Application (CLSID: 49B2791A-B1AE-4C90-9B8E-E860BA07F889), ShellWindows (CLSID: 9BA05972-F6A8-11CF-A442-00A0C90A8F39), and ShellBrowserWindow (CLSID: C08AFD90-F2A1-11D1-8455-00A0C91F3880) to execute commands on remote hosts. Microsoft Office application objects (Excel.Application, Outlook.Application) exposed via DCOM also permit remote code execution and macro invocation. COM surrogate processes (dllhost.exe /Processid:{CLSID}) serve as the activation vehicle for out-of-process COM servers, making dllhost.exe spawning unexpected child processes a high-fidelity indicator. DCOM lateral movement communicates over TCP 135 (RPC Endpoint Mapper) before negotiating an ephemeral high port, distinguishing it from WMI or SMB-based lateral movement.

What is T1175 Component Object Model and Distributed COM?

Component Object Model and Distributed COM (T1175) maps to the Lateral Movement and Execution tactics — the adversary is trying to move through your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Component Object Model and Distributed COM, covering the data sources and telemetry it touches: Process: Process Creation, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Lateral Movement Execution
Canonical reference: https://attack.mitre.org/techniques/T1175/

Microsoft Sentinel / Defender

kusto

let COMShells = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"]);
let OfficeApps = dynamic(["excel.exe", "outlook.exe", "winword.exe", "powerpnt.exe", "onenote.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (COMShells)
| where (
    // COM Surrogate (dllhost.exe /Processid:) spawning shells — primary DCOM remote activation indicator
    (InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine has "/Processid:")
    // MMC20.Application abuse — classic DCOM lateral movement vector documented by enigma0x3
    or (InitiatingProcessFileName =~ "mmc.exe" and FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe"))
    // Office application DCOM — Excel, Outlook, or Word spawning shells via COM interfaces
    or (InitiatingProcessFileName in~ (OfficeApps) and FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe"))
  )
| extend COMVector = case(
    InitiatingProcessFileName =~ "dllhost.exe", "COM_Surrogate_Activation",
    InitiatingProcessFileName =~ "mmc.exe", "MMC20_Application_DCOM",
    InitiatingProcessFileName in~ (OfficeApps), "Office_Application_DCOM",
    "Unknown_COM"
  )
| extend DCOMIndicator = InitiatingProcessCommandLine has_any ("/Processid:", "-Embedding")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, COMVector, DCOMIndicator
| sort by Timestamp desc

Detects COM and DCOM abuse by identifying suspicious process chains originating from known COM activation parents. Covers three primary vectors: (1) COM surrogate processes (dllhost.exe with /Processid: argument) spawning shells — the most reliable DCOM remote execution indicator because all out-of-process COM server activations route through dllhost.exe; (2) MMC20.Application DCOM lateral movement where mmc.exe spawns a command interpreter; (3) Microsoft Office DCOM execution where Excel, Outlook, or Word spawn shells via exposed COM application objects. The DCOMIndicator flag highlights processes showing DCOM-specific activation arguments for analyst prioritization.

high severity medium confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate IT administration tools using MMC snap-ins that internally spawn helper processes for managed operations (disk management, event viewer, device manager)
Software installation packages activating COM servers via dllhost.exe as part of normal registration workflows (MSI installers, COM+ application setup)
Microsoft Office macros performing legitimate document automation that spawn helper processes such as mail merge or report generation scripts
Remote management products (RMM tools, monitoring agents) that use DCOM as a transport mechanism for legitimate administrative operations on managed endpoints
COM+ application servers hosting business line applications that legitimately spawn worker processes via dllhost.exe as part of their normal operation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| where (ParentImage LIKE "%\\dllhost.exe" OR ParentImage LIKE "%\\mmc.exe" OR ParentImage LIKE "%\\excel.exe" OR ParentImage LIKE "%\\outlook.exe" OR ParentImage LIKE "%\\winword.exe" OR ParentImage LIKE "%\\powerpnt.exe")
| where (Image LIKE "%\\cmd.exe" OR Image LIKE "%\\powershell.exe" OR Image LIKE "%\\pwsh.exe" OR Image LIKE "%\\wscript.exe" OR Image LIKE "%\\cscript.exe" OR Image LIKE "%\\mshta.exe" OR Image LIKE "%\\rundll32.exe")
| eval IsCOMSurrogate=if(ParentImage LIKE "%\\dllhost.exe" AND CommandLine LIKE "%/Processid:%", 1, 0)
| eval IsMMCSpawn=if(ParentImage LIKE "%\\mmc.exe", 1, 0)
| eval IsOfficeSpawn=if(ParentImage LIKE "%\\excel.exe" OR ParentImage LIKE "%\\outlook.exe" OR ParentImage LIKE "%\\winword.exe" OR ParentImage LIKE "%\\powerpnt.exe", 1, 0)
| eval COMVector=case(IsCOMSurrogate=1, "COM_Surrogate_Activation", IsMMCSpawn=1, "MMC20_Application_DCOM", IsOfficeSpawn=1, "Office_Application_DCOM", true(), "Unknown_COM")
| eval DCOMIndicator=if(match(ParentCommandLine, "(?i)(/Processid:|-Embedding)"), 1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, COMVector, DCOMIndicator
| sort - _time

Detects COM and DCOM abuse using Sysmon Event ID 1 (Process Create) by identifying suspicious parent-child process chains from known COM activation parents. Initial field filtering narrows scope to relevant parent executables (dllhost.exe, mmc.exe, Office apps) spawning known shells and interpreters. Categorizes each detection into COM vectors — COM_Surrogate_Activation, MMC20_Application_DCOM, or Office_Application_DCOM — and flags DCOM-specific activation arguments in parent command lines for analyst triage prioritization.

high severity medium confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate IT administration tools using MMC snap-ins that internally spawn helper processes for managed operations
Software installation packages activating COM servers via dllhost.exe as part of normal registration workflows
Microsoft Office macros performing legitimate document automation that spawn helper processes
Remote management products using DCOM as a transport for legitimate administrative operations
COM+ application servers that legitimately spawn worker processes via dllhost.exe as part of business application hosting

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "ParentImage",
  "ParentCommandLine",
  "Image",
  "CommandLine",
  CASE
    WHEN LOWER("ParentImage") LIKE '%\dllhost.exe' AND "ParentCommandLine" ILIKE '%/Processid:%' THEN 'COM_Surrogate_Activation'
    WHEN LOWER("ParentImage") LIKE '%\mmc.exe' THEN 'MMC20_Application_DCOM'
    WHEN LOWER("ParentImage") LIKE '%\excel.exe'
      OR LOWER("ParentImage") LIKE '%\outlook.exe'
      OR LOWER("ParentImage") LIKE '%\winword.exe'
      OR LOWER("ParentImage") LIKE '%\powerpnt.exe' THEN 'Office_Application_DCOM'
    ELSE 'Unknown_COM'
  END AS com_vector
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (12, 119, 432)
  AND CATEGORYNAME(category) ILIKE '%process%'
  AND devicetime > NOW() - 1 DAYS
  AND (
    LOWER("Image") LIKE '%\cmd.exe'
    OR LOWER("Image") LIKE '%\powershell.exe'
    OR LOWER("Image") LIKE '%\pwsh.exe'
    OR LOWER("Image") LIKE '%\wscript.exe'
    OR LOWER("Image") LIKE '%\cscript.exe'
    OR LOWER("Image") LIKE '%\mshta.exe'
    OR LOWER("Image") LIKE '%\rundll32.exe'
    OR LOWER("Image") LIKE '%\regsvr32.exe'
  )
  AND (
    (LOWER("ParentImage") LIKE '%\dllhost.exe' AND "ParentCommandLine" ILIKE '%/Processid:%')
    OR LOWER("ParentImage") LIKE '%\mmc.exe'
    OR LOWER("ParentImage") LIKE '%\excel.exe'
    OR LOWER("ParentImage") LIKE '%\outlook.exe'
    OR LOWER("ParentImage") LIKE '%\winword.exe'
    OR LOWER("ParentImage") LIKE '%\powerpnt.exe'
  )
ORDER BY devicetime DESC

AQL rule detecting COM/DCOM abuse by correlating Sysmon process creation events where shell interpreters are spawned by COM surrogate (dllhost.exe /Processid:), MMC20.Application, or Office applications via DCOM. Classifies the COM vector to distinguish local COM surrogate execution from DCOM lateral movement patterns.

high severity medium confidence

Data Sources

QRadar Sysmon DSM QRadar Windows Security Event Log DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Enterprise management platforms that use COM automation to drive Office applications for report generation or document conversion, legitimately spawning child processes
Legitimate PowerShell scripts executed through scheduled tasks that use COM interop to interact with Office or MMC snap-ins during normal IT operations
Software testing frameworks that invoke Office application COM interfaces (e.g., Selenium with Office interop, automated document processors) generating benign shell child processes

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where EventID = "1" OR EventCode = "1"
| parse field=ParentImage "*\\*" as ParentPath, ParentProcess nodrop
| parse field=Image "*\\*" as ChildPath, ChildProcess nodrop
| where ChildProcess in ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
| where (
    (toLowerCase(ParentProcess) = "dllhost.exe" and (ParentCommandLine contains "/Processid:" or ParentCommandLine contains "/processid:"))
    or toLowerCase(ParentProcess) = "mmc.exe"
    or toLowerCase(ParentProcess) in ("excel.exe", "outlook.exe", "winword.exe", "powerpnt.exe", "onenote.exe")
  )
| eval COMVector = if(toLowerCase(ParentProcess) = "dllhost.exe", "COM_Surrogate_Activation",
    if(toLowerCase(ParentProcess) = "mmc.exe", "MMC20_Application_DCOM",
      if(toLowerCase(ParentProcess) in ("excel.exe", "outlook.exe", "winword.exe", "powerpnt.exe", "onenote.exe"), "Office_Application_DCOM",
        "Unknown_COM")))
| eval DCOMIndicator = if(ParentCommandLine matches "(?i)(/Processid:|-Embedding)", "true", "false")
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, COMVector, DCOMIndicator
| sort by _messageTime desc

Sumo Logic query detecting COM/DCOM abuse (T1175) by identifying shell interpreter processes (cmd.exe, powershell.exe, etc.) spawned by COM surrogate dllhost.exe with CLSID parameters, MMC20.Application, or Office application DCOM interfaces. Enriches events with COMVector classification and DCOM indicator flag.

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon via Sumo Logic Windows Event Source Sumo Logic Cloud SIEM Enterprise (CSE)

Required Tables

Windows Event Log (Sysmon EventID 1)

False Positives

Legitimate COM-based administrative automation using dllhost.exe surrogate processes for out-of-process COM server activation during standard software installations or updates
Microsoft Management Console (mmc.exe) extensions or snap-ins that programmatically launch PowerShell or cmd.exe for configuration operations as part of authorized IT administration
Business process automation solutions that use Office DCOM interfaces (e.g., document generation pipelines, data extraction workflows) and legitimately spawn child processes during operation

Google Chronicle / SecOps

yaral

rule t1175_com_dcom_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects COM and DCOM abuse (T1175) — shell processes spawned from COM surrogate dllhost.exe, MMC20.Application, or Office application DCOM interfaces indicating local COM execution or DCOM lateral movement"
    mitre_attack_tactic = "Lateral Movement, Execution"
    mitre_attack_technique = "T1175"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)$/
    (
      (
        $e.principal.process.parent_process.file.full_path = /(?i)\\dllhost\.exe$/
        and $e.principal.process.parent_process.command_line = /(?i)\/Processid:/
      )
      or $e.principal.process.parent_process.file.full_path = /(?i)\\mmc\.exe$/
      or $e.principal.process.parent_process.file.full_path = /(?i)\\(excel|outlook|winword|powerpnt|onenote)\.exe$/
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.principal.process.parent_process.file.full_path = /(?i)\\dllhost\.exe$/ and $e.principal.process.parent_process.command_line = /(?i)\/Processid:/, 95,
        if($e.principal.process.parent_process.file.full_path = /(?i)\\mmc\.exe$/, 85, 75))
    )
    $com_vector = if(
      $e.principal.process.parent_process.file.full_path = /(?i)\\dllhost\.exe$/, "COM_Surrogate_Activation",
      if($e.principal.process.parent_process.file.full_path = /(?i)\\mmc\.exe$/, "MMC20_Application_DCOM", "Office_Application_DCOM")
    )
    $target_host = $e.principal.hostname
    $user = $e.principal.user.userid
    $child_process = $e.principal.process.command_line
    $parent_cmdline = $e.principal.process.parent_process.command_line

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting COM and DCOM abuse by matching Sysmon/EDR process launch events where shell interpreters are spawned by COM surrogate processes (dllhost.exe with CLSID), MMC20.Application (mmc.exe), or Office application DCOM objects. Scores by COM vector type with highest risk for COM surrogate with CLSID indicators.

high severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Google Chronicle SIEM Sysmon forwarded via Chronicle ingestion

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Authorized use of COM surrogate processes by Windows subsystems for legitimate out-of-process COM server activation during software installation, thumbnail generation, or shell extension loading
System administration scripts that programmatically interact with MMC snap-ins (e.g., AD management, GPO editing) via mmc.exe COM interface, resulting in benign shell child process creation
Automated document processing pipelines using Office application COM automation (VBA macro execution, mail merge, report generation) that spawn cmd.exe or PowerShell as part of their documented workflow

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(dllhost\.exe|mmc\.exe|excel\.exe|outlook\.exe|winword\.exe|powerpnt\.exe|onenote\.exe)$/i
| FileName = /^(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)$/i
| case {
    ParentBaseFileName = /^dllhost\.exe$/i AND ParentCommandLine = /\/Processid:/i
      | COMVector := "COM_Surrogate_Activation" | RiskScore := 95 ;
    ParentBaseFileName = /^mmc\.exe$/i
      | COMVector := "MMC20_Application_DCOM" | RiskScore := 85 ;
    ParentBaseFileName = /^(excel|outlook|winword|powerpnt|onenote)\.exe$/i
      | COMVector := "Office_Application_DCOM" | RiskScore := 75 ;
    *
      | COMVector := "Unknown_COM" | RiskScore := 50
  }
| DCOMIndicator := if(ParentCommandLine = /\/Processid:|-Embedding/i, "true", "false")
| select([_timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, COMVector, DCOMIndicator, RiskScore])
| sort(RiskScore, order=desc)

CrowdStrike LogScale (Falcon) query detecting COM and DCOM abuse (T1175) via ProcessRollup2 events. Identifies shell interpreters spawned by COM surrogate (dllhost.exe with /Processid: CLSID), MMC20.Application, or Office application DCOM interfaces. Enriches each match with COMVector classification and risk scoring for analyst triage prioritization.

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon Data Replicator (FDR) Falcon LogScale (Humio)

Required Tables

ProcessRollup2 Falcon event stream

False Positives

CrowdStrike Falcon sensor itself or other security products that use COM surrogate processes during legitimate scanning, file inspection, or shell extension enumeration workflows
Enterprise software deployment systems (e.g., Microsoft SCCM OSD task sequences, Citrix provisioning) that leverage dllhost.exe COM activation or Office DCOM during package deployment on managed endpoints
Development and QA environments running automated UI testing frameworks (e.g., WinAppDriver, UI Automation) that interact with Office or shell COM interfaces and create child processes as part of test execution

Sigma rule & cross-platform mapping

The detection logic for Component Object Model and Distributed COM (T1175) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1175 Sigma rules on detection.fyi

Platform-specific guides for T1175

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (12)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1MMC20.Application DCOM Local Shell Execution
Expected signal: Sysmon Event ID 1: mmc.exe created (parent: powershell.exe), then cmd.exe spawned with ParentImage=mmc.exe, CommandLine='/c whoami > %TEMP%\dcom-mmc20-test.txt'. Sysmon Event ID 11: file created at %TEMP%\dcom-mmc20-test.txt. DeviceProcessEvents shows InitiatingProcessFileName='mmc.exe' spawning FileName='cmd.exe'. DCOM-Server/Operational may log the COM activation.
Test 2ShellWindows COM Object Shell Execution via Shell.Application
Expected signal: Sysmon Event ID 1: cmd.exe spawned with ParentImage=explorer.exe or dllhost.exe depending on Windows version and COM activation path. File created at %TEMP%\shellapp-test.txt. PowerShell ScriptBlock Log Event ID 4104 captures 'New-Object -ComObject Shell.Application' and 'ShellExecute' calls. DeviceProcessEvents records the cmd.exe creation with its initiating process context.
Test 3DCOM Remote Execution via MMC20.Application (Lab Environment — Requires Admin on Target)
Expected signal: SOURCE: Sysmon Event ID 3 — TCP connection to 192.168.1.100:135, then ephemeral port connection. Security Event ID 4648 if alternate credentials used. TARGET: Security Event ID 4624 Type 3 (network logon) from source IP. Sysmon Event ID 1: dllhost.exe /Processid:{49B2791A-B1AE-4C90-9B8E-E860BA07F889} created, then cmd.exe spawned with ParentImage=dllhost.exe. File created at C:\Windows\Temp\dcom-remote-test.txt.
Test 4COM Object Scheduled Task Creation via Schedule.Service
Expected signal: Sysmon Event ID 12/13 (Registry): Task Scheduler registry key creation under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\. Security Event ID 4698 (Scheduled task created) in Windows Security log. PowerShell ScriptBlock Log Event ID 4104 showing New-Object -ComObject Schedule.Service invocation. DeviceProcessEvents shows only powershell.exe (no schtasks.exe child process — the entire task creation happens via COM API).

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1175 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Component Object Model and Distributed COM

What is T1175 Component Object Model and Distributed COM?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1175

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Lateral Movement

Popular Detections

What is T1175 Component Object Model and Distributed COM?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1175

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Lateral Movement

Popular Detections

Get new detections in your inbox