title: Component Object Model and Distributed COM (T1175)
id: df00tech-t1175
status: experimental
description: "Adversaries may abuse the Windows Component Object Model (COM) and Distributed Component Object Model (DCOM) for local code execution or to move laterally across a network. This deprecated technique encompasses both local COM abuse (now T1559.001) and DCOM-based lateral movement (now T1021.003). COM is a native Windows API component enabling interaction between software objects through well-defined interfaces; DCOM extends this functionality over a network via RPC. Adversaries exploit COM interfaces to invoke arbitrary code execution through C++, Java, VBScript, and PowerShell. For DCOM lateral movement, privileged users can remotely activate objects such as MMC20.Application (CLSID: 49B2791A-B1AE-4C90-9B8E-E860BA07F889), ShellWindows (CLSID: 9BA05972-F6A8-11CF-A442-00A0C90A8F39), and ShellBrowserWindow (CLSID: C08AFD90-F2A1-11D1-8455-00A0C91F3880) to execute commands on remote hosts. Microsoft Office application objects (Excel.Application, Outlook.Application) exposed via DCOM also permit remote code execution and macro invocation. COM surrogate processes (dllhost.exe /Processid:{CLSID}) serve as the activation vehicle for out-of-process COM servers, making dllhost.exe spawning unexpected child processes a high-fidelity indicator. DCOM lateral movement communicates over TCP 135 (RPC Endpoint Mapper) before negotiating an ephemeral high port, distinguishing it from WMI or SMB-based lateral movement."
references:
  - https://attack.mitre.org/techniques/T1175/
  - https://df00tech.com/detections/T1175
author: df00tech
date: 2026/04/18
tags:
  - attack.t1175
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IT administration tools using MMC snap-ins that internally spawn helper processes for managed operations (disk management, event viewer, device manager)"
  - "Software installation packages activating COM servers via dllhost.exe as part of normal registration workflows (MSI installers, COM+ application setup)"
  - Microsoft Office macros performing legitimate document automation that spawn helper processes such as mail merge or report generation scripts
  - "Remote management products (RMM tools, monitoring agents) that use DCOM as a transport mechanism for legitimate administrative operations on managed endpoints"
  - COM+ application servers hosting business line applications that legitimately spawn worker processes via dllhost.exe as part of their normal operation
level: high