[T1021.003 ] Remote Services: Distributed Component Object Model β DCOM lets software on one Windows machine invoke and control COM objects on another machine using RPC. Attackers with valid credentials can abuse DCOM to execute code, launch processes, or trigger Office-based payloads remotely, enabling stealthy lateral movement. #DCOM #LateralMovement
Keypoints
- DCOM extends COM across machines using RPC, allowing remote method calls and object activation.
- By default only administrators can remotely activate COM objects, but misconfigurations can broaden access.
- Adversaries with valid accounts can use DCOM to run shellcode or execute macros without a malicious document.
- Monitoring DCOM activity requires watching module loads, process creation, and DCE/RPC (port 135) traffic.
- Enumeration of COM objects via registry queries or PowerShell often precedes malicious DCOM use.
Description:
- Like a remote control that lets you operate appliances in another house, DCOM lets software on one PC reach into and command components on another PC across the network.
- DCOM enables remote activation and interaction with Windows COM objects using RPC; adversaries with valid credentials can remotely execute code, spawn processes, trigger Office object methods, or invoke WMI, enabling stealthy lateral movement and persistence.
Detection:
- Watch for unusual module loads: alert on DLLs loaded by processes that donβt normally load them (Module Load logs).
- Monitor process creation: flag processes spawned by COM-related hosts (e.g., rundll32, regsvr32, mshta, winword, excel) especially when parent/user context is unexpected.
- Inspect DCE/RPC traffic: detect abnormal volumes or new connections over port 135 from internal hosts (Network Connection Creation logs).
- Log and alert on registry COM key enumeration: detect scripted reads of HKCRCLSID or related keys from non-admin or suspicious accounts (Query Registry/PowerShell telemetry).
- Correlate authentication and DCOM activity: link valid account logins with subsequent remote COM activations to spot lateral movement sequences.
- Use EDR to capture and analyze in-memory shellcode or atypical code execution paths originating from Office processes or COM servers.
- Hunt for execution chains that bypass documents: look for Office COM object instantiation followed by macro-like behavior or DDE calls without document open events.
Tactics:
Lateral Movement
Platforms:
Windows
Data Sources:
Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Relationship Citations:
(Citation: Cobalt Strike DCOM Jan 2017),(Citation: GitHub SILENTTRINITY Modules July 2019),(Citation: Github PowerShell Empire),(Citation: Microsoft Disable DCOM),(Citation: Microsoft System Wide Com Keys),(Citation: Microsoft COM ACL),(Citation: Microsoft Process Wide Com Keys),(Citation: Microsoft Protected View)