EXPLORE
Sign In
← Back to Explore
T1021.003

Distributed Component Object Model

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object c...

Windows
31
Detections
3
Sources
0
Threat Actors

BY SOURCE

13sigma10splunk_escu8elastic

PROCEDURES (22)

Remote4 detections

Auto-extracted: 4 detections for remote

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Child Process2 detections

Auto-extracted: 2 detections for child process

C22 detections

Auto-extracted: 2 detections for c2

Wmi2 detections

Auto-extracted: 2 detections for wmi

Registry2 detections

Auto-extracted: 2 detections for registry

C21 detections

Auto-extracted: 1 detections for c2

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Wmi1 detections

Auto-extracted: 1 detections for wmi

Powershell1 detections

Auto-extracted: 1 detections for powershell

Privilege1 detections

Auto-extracted: 1 detections for privilege

Dll Hijack1 detections

Auto-extracted: 1 detections for dll hijack

Dll Hijack1 detections

Auto-extracted: 1 detections for dll hijack

Credential1 detections

Auto-extracted: 1 detections for credential

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Powershell1 detections

Auto-extracted: 1 detections for powershell

Wmi1 detections

Auto-extracted: 1 detections for wmi

Dll Hijack1 detections

Auto-extracted: 1 detections for dll hijack

Credential1 detections

Auto-extracted: 1 detections for credential

DETECTIONS (31)

BaaUpdate.exe Suspicious DLL Load
sigmahigh
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
sigmahigh
HackTool - Potential Impacket Lateral Movement Activity
sigmahigh
Impacket Lateral Movement Commandline Parameters
splunk_escu
Impacket Lateral Movement smbexec CommandLine Parameters
splunk_escu
Impacket Lateral Movement WMIExec Commandline Parameters
splunk_escu
Incoming DCOM Lateral Movement via MSHTA
elastichigh
Incoming DCOM Lateral Movement with MMC
elastichigh
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
elasticmedium
Mmc LOLBAS Execution Process Spawn
splunk_escu
MMC Spawning Windows Shell
sigmahigh
MMC20 Lateral Movement
sigmahigh
Outbound Scheduled Task Activity via PowerShell
elasticmedium
Possible Lateral Movement PowerShell Spawn
splunk_escu
Potential DCOM InternetExplorer.Application DLL Hijack
sigmacritical
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
sigmacritical
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
sigmahigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Remote DCOM/WMI Lateral Movement
sigmahigh
Remote Process Instantiation via DCOM and PowerShell
splunk_escu
Remote Process Instantiation via DCOM and PowerShell Script Block
splunk_escu
RPC (Remote Procedure Call) to the Internet
elastichigh
Suspicious BitLocker Access Agent Update Utility Execution
sigmahigh
Suspicious Cmd Execution via WMI
elastichigh
Suspicious Non PowerShell WSMAN COM Provider
sigmamedium
Suspicious Speech Runtime Binary Child Process
sigmahigh
Suspicious WSMAN Provider Image Loads
sigmamedium
Windows Excel Spawning Microsoft Project Application
splunk_escu
Windows SpeechRuntime COM Hijacking DLL Load
splunk_escu
Windows SpeechRuntime Suspicious Child Process
splunk_escu
WMI Incoming Lateral Movement
elasticmedium