Detect Component Object Model and Distributed COM in Google Chronicle
Adversaries may abuse the Windows Component Object Model (COM) and Distributed Component Object Model (DCOM) for local code execution or to move laterally across a network. This deprecated technique encompasses both local COM abuse (now T1559.001) and DCOM-based lateral movement (now T1021.003). COM is a native Windows API component enabling interaction between software objects through well-defined interfaces; DCOM extends this functionality over a network via RPC. Adversaries exploit COM interfaces to invoke arbitrary code execution through C++, Java, VBScript, and PowerShell. For DCOM lateral movement, privileged users can remotely activate objects such as MMC20.Application (CLSID: 49B2791A-B1AE-4C90-9B8E-E860BA07F889), ShellWindows (CLSID: 9BA05972-F6A8-11CF-A442-00A0C90A8F39), and ShellBrowserWindow (CLSID: C08AFD90-F2A1-11D1-8455-00A0C91F3880) to execute commands on remote hosts. Microsoft Office application objects (Excel.Application, Outlook.Application) exposed via DCOM also permit remote code execution and macro invocation. COM surrogate processes (dllhost.exe /Processid:{CLSID}) serve as the activation vehicle for out-of-process COM servers, making dllhost.exe spawning unexpected child processes a high-fidelity indicator. DCOM lateral movement communicates over TCP 135 (RPC Endpoint Mapper) before negotiating an ephemeral high port, distinguishing it from WMI or SMB-based lateral movement.
MITRE ATT&CK
- Tactic
- Lateral Movement Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1175/
YARA-L Detection Query
rule t1175_com_dcom_abuse {
meta:
author = "Argus Detection Engineering"
description = "Detects COM and DCOM abuse (T1175) — shell processes spawned from COM surrogate dllhost.exe, MMC20.Application, or Office application DCOM interfaces indicating local COM execution or DCOM lateral movement"
mitre_attack_tactic = "Lateral Movement, Execution"
mitre_attack_technique = "T1175"
severity = "HIGH"
confidence = "HIGH"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)$/
(
(
$e.principal.process.parent_process.file.full_path = /(?i)\\dllhost\.exe$/
and $e.principal.process.parent_process.command_line = /(?i)\/Processid:/
)
or $e.principal.process.parent_process.file.full_path = /(?i)\\mmc\.exe$/
or $e.principal.process.parent_process.file.full_path = /(?i)\\(excel|outlook|winword|powerpnt|onenote)\.exe$/
)
match:
$e.principal.hostname over 5m
outcome:
$risk_score = max(
if($e.principal.process.parent_process.file.full_path = /(?i)\\dllhost\.exe$/ and $e.principal.process.parent_process.command_line = /(?i)\/Processid:/, 95,
if($e.principal.process.parent_process.file.full_path = /(?i)\\mmc\.exe$/, 85, 75))
)
$com_vector = if(
$e.principal.process.parent_process.file.full_path = /(?i)\\dllhost\.exe$/, "COM_Surrogate_Activation",
if($e.principal.process.parent_process.file.full_path = /(?i)\\mmc\.exe$/, "MMC20_Application_DCOM", "Office_Application_DCOM")
)
$target_host = $e.principal.hostname
$user = $e.principal.user.userid
$child_process = $e.principal.process.command_line
$parent_cmdline = $e.principal.process.parent_process.command_line
condition:
$e
}Chronicle YARA-L 2.0 rule detecting COM and DCOM abuse by matching Sysmon/EDR process launch events where shell interpreters are spawned by COM surrogate processes (dllhost.exe with CLSID), MMC20.Application (mmc.exe), or Office application DCOM objects. Scores by COM vector type with highest risk for COM surrogate with CLSID indicators.
Data Sources
Required Tables
False Positives & Tuning
- Authorized use of COM surrogate processes by Windows subsystems for legitimate out-of-process COM server activation during software installation, thumbnail generation, or shell extension loading
- System administration scripts that programmatically interact with MMC snap-ins (e.g., AD management, GPO editing) via mmc.exe COM interface, resulting in benign shell child process creation
- Automated document processing pipelines using Office application COM automation (VBA macro execution, mail merge, report generation) that spawn cmd.exe or PowerShell as part of their documented workflow
Other platforms for T1175
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MMC20.Application DCOM Local Shell Execution
Expected signal: Sysmon Event ID 1: mmc.exe created (parent: powershell.exe), then cmd.exe spawned with ParentImage=mmc.exe, CommandLine='/c whoami > %TEMP%\dcom-mmc20-test.txt'. Sysmon Event ID 11: file created at %TEMP%\dcom-mmc20-test.txt. DeviceProcessEvents shows InitiatingProcessFileName='mmc.exe' spawning FileName='cmd.exe'. DCOM-Server/Operational may log the COM activation.
- Test 2ShellWindows COM Object Shell Execution via Shell.Application
Expected signal: Sysmon Event ID 1: cmd.exe spawned with ParentImage=explorer.exe or dllhost.exe depending on Windows version and COM activation path. File created at %TEMP%\shellapp-test.txt. PowerShell ScriptBlock Log Event ID 4104 captures 'New-Object -ComObject Shell.Application' and 'ShellExecute' calls. DeviceProcessEvents records the cmd.exe creation with its initiating process context.
- Test 3DCOM Remote Execution via MMC20.Application (Lab Environment — Requires Admin on Target)
Expected signal: SOURCE: Sysmon Event ID 3 — TCP connection to 192.168.1.100:135, then ephemeral port connection. Security Event ID 4648 if alternate credentials used. TARGET: Security Event ID 4624 Type 3 (network logon) from source IP. Sysmon Event ID 1: dllhost.exe /Processid:{49B2791A-B1AE-4C90-9B8E-E860BA07F889} created, then cmd.exe spawned with ParentImage=dllhost.exe. File created at C:\Windows\Temp\dcom-remote-test.txt.
- Test 4COM Object Scheduled Task Creation via Schedule.Service
Expected signal: Sysmon Event ID 12/13 (Registry): Task Scheduler registry key creation under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\. Security Event ID 4698 (Scheduled task created) in Windows Security log. PowerShell ScriptBlock Log Event ID 4104 showing New-Object -ComObject Schedule.Service invocation. DeviceProcessEvents shows only powershell.exe (no schtasks.exe child process — the entire task creation happens via COM API).
References (12)
- https://attack.mitre.org/techniques/T1175/
- https://attack.mitre.org/techniques/T1021/003/
- https://attack.mitre.org/techniques/T1559/001/
- https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
- https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
- https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/
- https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1175/T1175.md
- https://learn.microsoft.com/en-us/windows/win32/com/com-technical-overview
- https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
Unlock Pro Content
Get the full detection package for T1175 including response playbook, investigation guide, and atomic red team tests.