Why DCOM Lateral Movement Matters
Distributed Component Object Model (DCOM) is a Microsoft technology that enables software components to communicate across network boundaries. Designed in the late 1990s, it was built before lateral movement was a primary threat model, and it shows: DCOM exposes powerful execution primitives to any network-authenticated user, and the traffic blends with legitimate Windows administration on most networks.
MITRE ATT&CK catalogues DCOM lateral movement as T1021.003. APT groups (APT28, APT41, Lazarus Group), ransomware operators (Black Basta, Akira affiliates), and red teams all use DCOM for interactive and non-interactive remote execution. The technique’s appeal: it uses SMB port 135 (RPC endpoint mapper) plus high ephemeral ports, requires no additional tooling on the target, and leaves fewer artifacts than PSExec or WinRM in default configurations.
How DCOM Lateral Movement Works
DCOM exposes COM objects remotely via RPC. An attacker with valid credentials on the target uses one of several DCOM object classes that expose execution methods:
MMC20.Application — The Microsoft Management Console object. The ExecuteShellCommand method runs arbitrary programs in the context of an MMC process. This was popularised in 2017 by Matt Nelson and is now the most documented DCOM technique.
ShellWindows and ShellBrowserWindow — These expose Item().Document.Application.ShellExecute(), allowing command execution via the Windows Explorer process. The resulting child process is a child of explorer.exe rather than a suspicious parent.
Excel.Application / Word.Application — Office automation objects can execute macros or shell commands remotely if Office is installed on the target.
Impacket (dcomexec.py) and the Invoke-DCOM PowerShell module are the most common attack frameworks used to automate these techniques.
The attack flow:
- Authenticate to target’s RPC endpoint mapper (TCP 135)
- Query for DCOM object’s active port (dynamic high port)
- Connect and instantiate the object
- Call the execution method with the desired payload
Detection Telemetry
DCOM execution is harder to detect than WinRM or PSExec because it doesn’t create distinct service events. Focus on these sources:
Windows Event Log — Process Creation (Event ID 4688 / Sysmon EID 1):
- Child processes spawned by
mmc.exe,explorer.exe,svchost.exe(DCOM service host), or Office applications with network-originated triggers - Unusual command lines under these parents:
cmd.exe,powershell.exe,wscript.exe,mshta.exe
Windows Event Log — DCOM Security (Microsoft-Windows-DCOM-Server/Operational):
- EID 10010: Server-side DCOM object activation
- EID 10009: Failed DCOM object activation attempt
Sysmon EID 3 — Network Connection:
mmc.exe,explorer.exe, orsvchost.exe(hostingDcomLaunch) initiating inbound connections from unexpected remote IPs
Windows Security Log — EID 4624 / 4648:
- Network logons (logon type 3) from the lateral movement source to the target, authenticated before DCOM execution
Sigma Rules
DCOM Lateral Movement — MMC20 Execution
title: DCOM Lateral Movement via MMC20.Application
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: test
description: |
Detects command execution via MMC20.Application DCOM object —
a well-known lateral movement technique (T1021.003).
Alerts on suspicious child processes of mmc.exe over the network.
references:
- https://attack.mitre.org/techniques/T1021/003/
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Detection Engineering
date: 2026-06-12
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\mmc.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\regsvr32.exe'
filter_local:
# Exclude legitimate local MMC console usage
# Refine this with your environment's known-good baselines
CommandLine|contains: 'msc'
condition: selection and not filter_local
falsepositives:
- Legitimate administrative MMC snap-in usage launching subprocesses
- Third-party management tools using MMC automation
level: high
tags:
- attack.lateral_movement
- attack.t1021.003
DCOM Lateral Movement — ShellWindows Execution
title: DCOM Lateral Movement via ShellWindows or ShellBrowserWindow
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
status: test
description: |
Detects suspicious child process execution under explorer.exe that
matches DCOM ShellWindows/ShellBrowserWindow lateral movement patterns.
references:
- https://attack.mitre.org/techniques/T1021/003/
author: Detection Engineering
date: 2026-06-12
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
filter_user_context:
# Explorer's normal child processes for interactive users
CommandLine|contains:
- 'open'
- 'shell'
condition: selection_parent and not filter_user_context
falsepositives:
- Interactive desktop user running scripts via Explorer context menu
level: medium
tags:
- attack.lateral_movement
- attack.t1021.003
KQL Detection for Microsoft Sentinel
DCOM Execution — MMC20 Suspicious Child
// T1021.003 — DCOM Lateral Movement via MMC20.Application
// Detects suspicious command shells launched under mmc.exe
// Tune filter_commandline with your environment's known-good baselines
let suspicious_children = dynamic(["cmd.exe","powershell.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ "mmc.exe"
| where FileName in~ (suspicious_children)
// Optional: filter out legitimate MMC snap-in execution
| where not (ProcessCommandLine has ".msc")
| project TimeGenerated, DeviceName, InitiatingProcessFileName,
FileName, ProcessCommandLine, AccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc
DCOM Lateral Movement — Source Correlation
// Correlate network logon (type 3) with DCOM child process within 2 minutes
// on the same device — strong signal for remote DCOM execution
let network_logons = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624 and LogonType == 3
| project LogonTime = TimeGenerated, DeviceName = Computer, AccountName, SourceIP = IpAddress;
let dcom_children = DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("mmc.exe", "svchost.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe")
| project ExecTime = TimeGenerated, DeviceName, ChildProcess = FileName,
CommandLine = ProcessCommandLine, Account = AccountName;
network_logons
| join kind=inner dcom_children on DeviceName
| where ExecTime between (LogonTime .. (LogonTime + 2m))
| project LogonTime, ExecTime, DeviceName, SourceIP, AccountName, ChildProcess, CommandLine
| order by LogonTime desc
Threat Hunting Query
Hunt for DCOM activation events in the DCOM operational log alongside process creation:
// Hunt: DCOM object activations from non-standard sources
Event
| where TimeGenerated > ago(7d)
| where Source == "Microsoft-Windows-DistributedCOM"
| where EventID in (10010, 10009)
| extend ParsedMsg = extract(@"CLSID \{([^}]+)\}", 1, RenderedDescription)
| extend SourceProcess = extract(@"from the process with PID (\d+)", 1, RenderedDescription)
| where SourceProcess != "" and ParsedMsg != ""
| summarize Count = count() by ParsedMsg, SourceProcess, Computer
| where Count < 5 // Low-frequency activations are more suspicious
| order by Count asc
Key CLSIDs to Monitor
Track DCOM activations for these known lateral-movement object CLSIDs:
| Object | CLSID |
|---|---|
| MMC20.Application | {49B2791A-B1AE-4C90-9B8E-E860BA07F889} |
| ShellWindows | {9BA05972-F6A8-11CF-A442-00A0C90A8F39} |
| ShellBrowserWindow | {C08AFD90-F2A1-11D1-8455-00A0C91F3880} |
Alert on DCOM EID 10010 with these CLSIDs originating from processes that are not typical MMC/Explorer usage paths.
Response Checklist
When DCOM lateral movement is confirmed:
- Identify the source host and account used for the RPC connection (EID 4624, type 3 logon from source)
- Review what command was executed — most critical for scoping the intrusion
- Check for additional DCOM object activations from the same source IP in the past 72 hours
- Validate whether the account used is a service account, admin account, or compromised user credential
- Contain: block lateral movement from source host and reset the account credentials used