T1175 Microsoft Sentinel · KQL

Detect Component Object Model and Distributed COM in Microsoft Sentinel

Adversaries may abuse the Windows Component Object Model (COM) and Distributed Component Object Model (DCOM) for local code execution or to move laterally across a network. This deprecated technique encompasses both local COM abuse (now T1559.001) and DCOM-based lateral movement (now T1021.003). COM is a native Windows API component enabling interaction between software objects through well-defined interfaces; DCOM extends this functionality over a network via RPC. Adversaries exploit COM interfaces to invoke arbitrary code execution through C++, Java, VBScript, and PowerShell. For DCOM lateral movement, privileged users can remotely activate objects such as MMC20.Application (CLSID: 49B2791A-B1AE-4C90-9B8E-E860BA07F889), ShellWindows (CLSID: 9BA05972-F6A8-11CF-A442-00A0C90A8F39), and ShellBrowserWindow (CLSID: C08AFD90-F2A1-11D1-8455-00A0C91F3880) to execute commands on remote hosts. Microsoft Office application objects (Excel.Application, Outlook.Application) exposed via DCOM also permit remote code execution and macro invocation. COM surrogate processes (dllhost.exe /Processid:{CLSID}) serve as the activation vehicle for out-of-process COM servers, making dllhost.exe spawning unexpected child processes a high-fidelity indicator. DCOM lateral movement communicates over TCP 135 (RPC Endpoint Mapper) before negotiating an ephemeral high port, distinguishing it from WMI or SMB-based lateral movement.

MITRE ATT&CK

Tactic
Lateral Movement Execution
Canonical reference
https://attack.mitre.org/techniques/T1175/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let COMShells = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"]);
let OfficeApps = dynamic(["excel.exe", "outlook.exe", "winword.exe", "powerpnt.exe", "onenote.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (COMShells)
| where (
    // COM Surrogate (dllhost.exe /Processid:) spawning shells — primary DCOM remote activation indicator
    (InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine has "/Processid:")
    // MMC20.Application abuse — classic DCOM lateral movement vector documented by enigma0x3
    or (InitiatingProcessFileName =~ "mmc.exe" and FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe"))
    // Office application DCOM — Excel, Outlook, or Word spawning shells via COM interfaces
    or (InitiatingProcessFileName in~ (OfficeApps) and FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe"))
  )
| extend COMVector = case(
    InitiatingProcessFileName =~ "dllhost.exe", "COM_Surrogate_Activation",
    InitiatingProcessFileName =~ "mmc.exe", "MMC20_Application_DCOM",
    InitiatingProcessFileName in~ (OfficeApps), "Office_Application_DCOM",
    "Unknown_COM"
  )
| extend DCOMIndicator = InitiatingProcessCommandLine has_any ("/Processid:", "-Embedding")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, COMVector, DCOMIndicator
| sort by Timestamp desc
high severity medium confidence

Detects COM and DCOM abuse by identifying suspicious process chains originating from known COM activation parents. Covers three primary vectors: (1) COM surrogate processes (dllhost.exe with /Processid: argument) spawning shells — the most reliable DCOM remote execution indicator because all out-of-process COM server activations route through dllhost.exe; (2) MMC20.Application DCOM lateral movement where mmc.exe spawns a command interpreter; (3) Microsoft Office DCOM execution where Excel, Outlook, or Word spawn shells via exposed COM application objects. The DCOMIndicator flag highlights processes showing DCOM-specific activation arguments for analyst prioritization.

Data Sources

Process: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate IT administration tools using MMC snap-ins that internally spawn helper processes for managed operations (disk management, event viewer, device manager)
  • Software installation packages activating COM servers via dllhost.exe as part of normal registration workflows (MSI installers, COM+ application setup)
  • Microsoft Office macros performing legitimate document automation that spawn helper processes such as mail merge or report generation scripts
  • Remote management products (RMM tools, monitoring agents) that use DCOM as a transport mechanism for legitimate administrative operations on managed endpoints
  • COM+ application servers hosting business line applications that legitimately spawn worker processes via dllhost.exe as part of their normal operation
Download portable Sigma rule (.yml)

Other platforms for T1175

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MMC20.Application DCOM Local Shell Execution

    Expected signal: Sysmon Event ID 1: mmc.exe created (parent: powershell.exe), then cmd.exe spawned with ParentImage=mmc.exe, CommandLine='/c whoami > %TEMP%\dcom-mmc20-test.txt'. Sysmon Event ID 11: file created at %TEMP%\dcom-mmc20-test.txt. DeviceProcessEvents shows InitiatingProcessFileName='mmc.exe' spawning FileName='cmd.exe'. DCOM-Server/Operational may log the COM activation.

  2. Test 2ShellWindows COM Object Shell Execution via Shell.Application

    Expected signal: Sysmon Event ID 1: cmd.exe spawned with ParentImage=explorer.exe or dllhost.exe depending on Windows version and COM activation path. File created at %TEMP%\shellapp-test.txt. PowerShell ScriptBlock Log Event ID 4104 captures 'New-Object -ComObject Shell.Application' and 'ShellExecute' calls. DeviceProcessEvents records the cmd.exe creation with its initiating process context.

  3. Test 3DCOM Remote Execution via MMC20.Application (Lab Environment — Requires Admin on Target)

    Expected signal: SOURCE: Sysmon Event ID 3 — TCP connection to 192.168.1.100:135, then ephemeral port connection. Security Event ID 4648 if alternate credentials used. TARGET: Security Event ID 4624 Type 3 (network logon) from source IP. Sysmon Event ID 1: dllhost.exe /Processid:{49B2791A-B1AE-4C90-9B8E-E860BA07F889} created, then cmd.exe spawned with ParentImage=dllhost.exe. File created at C:\Windows\Temp\dcom-remote-test.txt.

  4. Test 4COM Object Scheduled Task Creation via Schedule.Service

    Expected signal: Sysmon Event ID 12/13 (Registry): Task Scheduler registry key creation under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\. Security Event ID 4698 (Scheduled task created) in Windows Security log. PowerShell ScriptBlock Log Event ID 4104 showing New-Object -ComObject Schedule.Service invocation. DeviceProcessEvents shows only powershell.exe (no schtasks.exe child process — the entire task creation happens via COM API).

Last updated: 2026-04-18 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1175 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1021.003Distributed Component Object ModelT1559.001Component Object ModelT1559.002Dynamic Data ExchangeT1047Windows Management InstrumentationT1053.005Scheduled TaskT1546.015Component Object Model HijackingT1055Process InjectionT1134Access Token ManipulationT1027Obfuscated Files or Information

Same Tactic: Lateral Movement

Popular Detections