Why DCOM Lateral Movement Matters

Distributed Component Object Model (DCOM) is a Microsoft technology that enables software components to communicate across network boundaries. Designed in the late 1990s, it was built before lateral movement was a primary threat model, and it shows: DCOM exposes powerful execution primitives to any network-authenticated user, and the traffic blends with legitimate Windows administration on most networks.

MITRE ATT&CK catalogues DCOM lateral movement as T1021.003. APT groups (APT28, APT41, Lazarus Group), ransomware operators (Black Basta, Akira affiliates), and red teams all use DCOM for interactive and non-interactive remote execution. The technique’s appeal: it uses SMB port 135 (RPC endpoint mapper) plus high ephemeral ports, requires no additional tooling on the target, and leaves fewer artifacts than PSExec or WinRM in default configurations.

How DCOM Lateral Movement Works

DCOM exposes COM objects remotely via RPC. An attacker with valid credentials on the target uses one of several DCOM object classes that expose execution methods:

MMC20.Application — The Microsoft Management Console object. The ExecuteShellCommand method runs arbitrary programs in the context of an MMC process. This was popularised in 2017 by Matt Nelson and is now the most documented DCOM technique.

ShellWindows and ShellBrowserWindow — These expose Item().Document.Application.ShellExecute(), allowing command execution via the Windows Explorer process. The resulting child process is a child of explorer.exe rather than a suspicious parent.

Excel.Application / Word.Application — Office automation objects can execute macros or shell commands remotely if Office is installed on the target.

Impacket (dcomexec.py) and the Invoke-DCOM PowerShell module are the most common attack frameworks used to automate these techniques.

The attack flow:

  1. Authenticate to target’s RPC endpoint mapper (TCP 135)
  2. Query for DCOM object’s active port (dynamic high port)
  3. Connect and instantiate the object
  4. Call the execution method with the desired payload

Detection Telemetry

DCOM execution is harder to detect than WinRM or PSExec because it doesn’t create distinct service events. Focus on these sources:

Windows Event Log — Process Creation (Event ID 4688 / Sysmon EID 1):

  • Child processes spawned by mmc.exe, explorer.exe, svchost.exe (DCOM service host), or Office applications with network-originated triggers
  • Unusual command lines under these parents: cmd.exe, powershell.exe, wscript.exe, mshta.exe

Windows Event Log — DCOM Security (Microsoft-Windows-DCOM-Server/Operational):

  • EID 10010: Server-side DCOM object activation
  • EID 10009: Failed DCOM object activation attempt

Sysmon EID 3 — Network Connection:

  • mmc.exe, explorer.exe, or svchost.exe (hosting DcomLaunch) initiating inbound connections from unexpected remote IPs

Windows Security Log — EID 4624 / 4648:

  • Network logons (logon type 3) from the lateral movement source to the target, authenticated before DCOM execution

Sigma Rules

DCOM Lateral Movement — MMC20 Execution

title: DCOM Lateral Movement via MMC20.Application
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: test
description: |
  Detects command execution via MMC20.Application DCOM object — 
  a well-known lateral movement technique (T1021.003).
  Alerts on suspicious child processes of mmc.exe over the network.
references:
  - https://attack.mitre.org/techniques/T1021/003/
  - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Detection Engineering
date: 2026-06-12
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\mmc.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\rundll32.exe'
      - '\regsvr32.exe'
  filter_local:
    # Exclude legitimate local MMC console usage
    # Refine this with your environment's known-good baselines
    CommandLine|contains: 'msc'
  condition: selection and not filter_local
falsepositives:
  - Legitimate administrative MMC snap-in usage launching subprocesses
  - Third-party management tools using MMC automation
level: high
tags:
  - attack.lateral_movement
  - attack.t1021.003

DCOM Lateral Movement — ShellWindows Execution

title: DCOM Lateral Movement via ShellWindows or ShellBrowserWindow
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
status: test
description: |
  Detects suspicious child process execution under explorer.exe that
  matches DCOM ShellWindows/ShellBrowserWindow lateral movement patterns.
references:
  - https://attack.mitre.org/techniques/T1021/003/
author: Detection Engineering
date: 2026-06-12
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\explorer.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\regsvr32.exe'
      - '\rundll32.exe'
  filter_user_context:
    # Explorer's normal child processes for interactive users
    CommandLine|contains:
      - 'open'
      - 'shell'
  condition: selection_parent and not filter_user_context
falsepositives:
  - Interactive desktop user running scripts via Explorer context menu
level: medium
tags:
  - attack.lateral_movement
  - attack.t1021.003

KQL Detection for Microsoft Sentinel

DCOM Execution — MMC20 Suspicious Child

// T1021.003 — DCOM Lateral Movement via MMC20.Application
// Detects suspicious command shells launched under mmc.exe
// Tune filter_commandline with your environment's known-good baselines
let suspicious_children = dynamic(["cmd.exe","powershell.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ "mmc.exe"
| where FileName in~ (suspicious_children)
// Optional: filter out legitimate MMC snap-in execution
| where not (ProcessCommandLine has ".msc")
| project TimeGenerated, DeviceName, InitiatingProcessFileName,
          FileName, ProcessCommandLine, AccountName, InitiatingProcessCommandLine
| order by TimeGenerated desc

DCOM Lateral Movement — Source Correlation

// Correlate network logon (type 3) with DCOM child process within 2 minutes
// on the same device — strong signal for remote DCOM execution
let network_logons = SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4624 and LogonType == 3
    | project LogonTime = TimeGenerated, DeviceName = Computer, AccountName, SourceIP = IpAddress;
let dcom_children = DeviceProcessEvents
    | where TimeGenerated > ago(24h)
    | where InitiatingProcessFileName in~ ("mmc.exe", "svchost.exe")
    | where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe")
    | project ExecTime = TimeGenerated, DeviceName, ChildProcess = FileName,
              CommandLine = ProcessCommandLine, Account = AccountName;
network_logons
| join kind=inner dcom_children on DeviceName
| where ExecTime between (LogonTime .. (LogonTime + 2m))
| project LogonTime, ExecTime, DeviceName, SourceIP, AccountName, ChildProcess, CommandLine
| order by LogonTime desc

Threat Hunting Query

Hunt for DCOM activation events in the DCOM operational log alongside process creation:

// Hunt: DCOM object activations from non-standard sources
Event
| where TimeGenerated > ago(7d)
| where Source == "Microsoft-Windows-DistributedCOM"
| where EventID in (10010, 10009)
| extend ParsedMsg = extract(@"CLSID \{([^}]+)\}", 1, RenderedDescription)
| extend SourceProcess = extract(@"from the process with PID (\d+)", 1, RenderedDescription)
| where SourceProcess != "" and ParsedMsg != ""
| summarize Count = count() by ParsedMsg, SourceProcess, Computer
| where Count < 5  // Low-frequency activations are more suspicious
| order by Count asc

Key CLSIDs to Monitor

Track DCOM activations for these known lateral-movement object CLSIDs:

ObjectCLSID
MMC20.Application{49B2791A-B1AE-4C90-9B8E-E860BA07F889}
ShellWindows{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
ShellBrowserWindow{C08AFD90-F2A1-11D1-8455-00A0C91F3880}

Alert on DCOM EID 10010 with these CLSIDs originating from processes that are not typical MMC/Explorer usage paths.

Response Checklist

When DCOM lateral movement is confirmed:

  1. Identify the source host and account used for the RPC connection (EID 4624, type 3 logon from source)
  2. Review what command was executed — most critical for scoping the intrusion
  3. Check for additional DCOM object activations from the same source IP in the past 72 hours
  4. Validate whether the account used is a service account, admin account, or compromised user credential
  5. Contain: block lateral movement from source host and reset the account credentials used