title: Distributed Component Object Model (T1021.003)
id: df00tech-t1021-003
status: experimental
description: "Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). DCOM extends Windows COM (Component Object Model) beyond local machines using RPC, allowing remote method calls on COM objects. Adversaries with Administrator privileges can remotely obtain code execution through Office applications (Excel, Outlook), MMC20.Application, ShellWindows, and other insecure COM objects. Tools like Empire's Invoke-DCOM, Cobalt Strike, and SILENTTRINITY have built-in DCOM lateral movement capabilities. DCOM communicates over TCP port 135 (RPC endpoint mapper) and dynamically assigned high ports."
references:
  - https://attack.mitre.org/techniques/T1021/003/
  - https://df00tech.com/detections/T1021.003
author: df00tech
date: 2026/04/16
tags:
  - attack.t1021.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate administrative scripts using DCOM to manage remote systems via WMI (IT automation tools like Ansible, SCCM)"
  - Office applications launching helper processes during document processing or macro execution for legitimate business use
  - MMC snap-ins spawning cmd.exe for legitimate administrative tasks by IT staff
  - Software developers testing DCOM-based applications or COM server registration
  - Monitoring tools that use COM automation to collect system information
level: high