-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdcom.json
More file actions
446 lines (446 loc) · 21 KB
/
dcom.json
File metadata and controls
446 lines (446 loc) · 21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
{
"dataset": {
"name": "EID Quick Reference - DCOM",
"version": "1.2.0",
"generatedAt": "2026-05-10T00:00:00Z",
"id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/dcom.json",
"schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
"license": {
"name": "Creative Commons Attribution 4.0 International",
"spdx": "CC-BY-4.0",
"notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
},
"sources": [
{
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/",
"type": "primary"
}
]
},
"entries": [
{
"id": 10009,
"log": "DCOM",
"provider": "Microsoft-Windows-DistributedCOM",
"channel": "System",
"level": "Error",
"title": "DCOM unable to communicate with remote computer",
"summary": "DCOM failed to establish a connection to a remote computer, indicating a network, firewall, or RPC availability issue on the destination.",
"details": "Logged by the Microsoft-Windows-DistributedCOM provider in the System log when the local DCOM infrastructure cannot contact a remote host. Uncommon in healthy environments; appears during DCOM-based lateral movement attempts when the target is unreachable or firewalled, and during normal operations when management tools reference decommissioned hosts.",
"category": "Lateral Movement",
"tags": [
"dcom",
"lateral-movement",
"rpc",
"remote-execution",
"network"
],
"relatedEventIds": [
{
"id": 10016,
"log": "DCOM"
},
{
"id": 10028,
"log": "DCOM"
},
{
"id": 4624,
"log": "Security"
},
{
"id": 3,
"log": "Sysmon"
}
],
"mitreAttack": [
{
"techniqueId": "T1021.003",
"techniqueName": "Remote Services: Distributed Component Object Model",
"tactics": [
{
"tacticId": "TA0008",
"tacticName": "Lateral Movement"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Remote computer name/IP — is this a known management target or an anomalous pairing such as a workstation targeting a server?",
"Timestamp correlation with Security 4624/4625 and Sysmon 3 on both source and target hosts to determine if the connection was ultimately established",
"Source process — correlate with Sysmon EID 1 (process creation) to identify which process initiated the DCOM call",
"Frequency — a single 10009 is often benign; a burst from one source across multiple targets suggests automated lateral movement or C2 beaconing via DCOM"
],
"commonFalsePositives": [
"SCCM, WSUS, or WMI-based monitoring tools targeting hosts that are offline or decommissioned",
"Group Policy processing attempting to contact domain controllers during network outages",
"Software licensing services and management agents that use DCOM for communication",
"Stale DNS records pointing DCOM calls to decommissioned IP addresses"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/application-management/dcom-errors-troubleshoot"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "param1",
"xpath": "EventData/Data[@Name='param1']",
"description": "Target computer name or IP address that DCOM failed to reach; primary pivot for identifying lateral movement targets"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "DCOM Lateral Movement — 10009 Burst to Multiple Targets",
"rule": "Event\n| where Source == \"DCOM\"\n| where EventID == 10009\n| parse EventData with * \"<Data>\" TargetHost \"</Data>\" *\n| summarize TargetCount = dcount(TargetHost), Targets = make_set(TargetHost, 10) by Computer, bin(TimeGenerated, 10m)\n| where TargetCount > 3\n| project TimeGenerated, SourceComputer = Computer, TargetCount, Targets",
"notes": "A single workstation generating 10009 against 3+ distinct hosts within 10 minutes is suspicious. Tune threshold based on environment size. Servers running SCCM or WMI-based monitoring may require exclusion."
},
{
"platform": "Sigma",
"title": "DCOM Remote Communication Failure — Potential Lateral Movement Probe",
"rule": "title: DCOM Remote Communication Failure — Potential Lateral Movement Probe\nstatus: experimental\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n Provider_Name: Microsoft-Windows-DistributedCOM\n EventID: 10009\n condition: selection\nfalsepositives:\n - SCCM or WMI monitoring tools targeting offline hosts\n - Stale DNS records\nlevel: low\ntags:\n - attack.lateral_movement\n - attack.t1021.003"
}
],
"lastReviewed": "2026-04-10"
},
{
"id": 10010,
"log": "DCOM",
"provider": "Microsoft-Windows-DistributedCOM",
"channel": "System",
"level": "Error",
"title": "COM server failed to register with DCOM within timeout",
"summary": "A COM server (identified by CLSID) did not register with the DCOM service control manager within the required timeout period, indicating a crash, injection, or startup failure.",
"details": "Logged when DCOM launches a COM server process and that process fails to call CoRegisterClassObject within the default 120-second timeout. A hijacked COM server that does not implement the expected interface will fail to register, making this event a secondary indicator of COM hijacking activity.",
"category": "Defense Evasion",
"tags": [
"dcom",
"com-hijacking",
"persistence",
"process-injection",
"defense-evasion"
],
"relatedEventIds": [
{
"id": 10009,
"log": "DCOM"
},
{
"id": 1,
"log": "Sysmon"
},
{
"id": 8,
"log": "Sysmon"
},
{
"id": 12,
"log": "Sysmon"
},
{
"id": 13,
"log": "Sysmon"
}
],
"mitreAttack": [
{
"techniqueId": "T1546.015",
"techniqueName": "Event Triggered Execution: Component Object Model Hijacking",
"tactics": [
{
"tacticId": "TA0003",
"tacticName": "Persistence"
},
{
"tacticId": "TA0004",
"tacticName": "Privilege Escalation"
}
]
},
{
"techniqueId": "T1055",
"techniqueName": "Process Injection",
"tactics": [
{
"tacticId": "TA0005",
"tacticName": "Stealth"
},
{
"tacticId": "TA0004",
"tacticName": "Privilege Escalation"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Resolve the CLSID in HKLM\\SOFTWARE\\Classes\\CLSID\\{GUID} — unknown CLSIDs not mapping to a known product are high-priority",
"Check HKCU\\Software\\Classes\\CLSID\\{GUID} for a user-space override (COM hijacking leaves traces here)",
"Correlate with Sysmon EID 1 (process creation) to see what process was launched for the CLSID and whether its image path is expected",
"Review Sysmon EID 12/13 (registry events) for recent changes to the CLSID registration keys"
],
"commonFalsePositives": [
"Windows Update and servicing components during patch application or OS upgrades",
"Third-party software installers that register COM objects and restart the service",
"Antivirus or EDR products that intercept COM activation and cause registration delays",
"COM servers that crash during startup due to missing dependencies (DLL not found)"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/application-management/dcom-errors-troubleshoot"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "param1",
"xpath": "EventData/Data[@Name='param1']",
"description": "CLSID of the COM server that failed to register; resolve to a friendly name via HKLM\\SOFTWARE\\Classes\\CLSID"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "COM Server Registration Timeout — CLSID Baseline Deviation",
"rule": "Event\n| where Source == \"DCOM\"\n| where EventID == 10010\n| parse EventData with * \"<Data>\" CLSID \"</Data>\" *\n| summarize Count = count() by CLSID, Computer, bin(TimeGenerated, 1d)\n| where Count == 1\n| project TimeGenerated, Computer, CLSID, Count",
"notes": "New or single-occurrence CLSIDs are more suspicious than recurring ones. Join with a CLSID allowlist derived from your software inventory for higher fidelity. Recurring 10010 for the same CLSID is usually a legitimate software issue."
},
{
"platform": "Sigma",
"title": "COM Server Registration Timeout — Possible COM Hijacking",
"rule": "title: COM Server Registration Timeout — Possible COM Hijacking\nstatus: experimental\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n Provider_Name: Microsoft-Windows-DistributedCOM\n EventID: 10010\n condition: selection\nfalsepositives:\n - Windows servicing and update processes\n - Software installers registering COM objects\nlevel: low\ntags:\n - attack.persistence\n - attack.t1546.015"
}
],
"lastReviewed": "2026-05-10"
},
{
"id": 10016,
"log": "DCOM",
"provider": "Microsoft-Windows-DistributedCOM",
"channel": "System",
"level": "Warning",
"title": "DCOM application-specific permissions denied activation",
"summary": "A user or process attempted to activate or launch a COM server but was denied by the application-specific DCOM security permissions, generating a high-volume but security-relevant access denial record.",
"details": "Logged when a caller is denied Local or Remote Activation or Launch permission by the application-specific DCOM security descriptor. High volume in most environments due to Windows background COM activity. Remote activation attempts (from non-local addresses) are the highest-priority signal for DCOM lateral movement.",
"category": "Lateral Movement",
"tags": [
"dcom",
"lateral-movement",
"access-denied",
"privilege-escalation",
"remote-execution"
],
"relatedEventIds": [
{
"id": 10009,
"log": "DCOM"
},
{
"id": 4624,
"log": "Security"
},
{
"id": 4625,
"log": "Security"
},
{
"id": 4688,
"log": "Security"
},
{
"id": 1,
"log": "Sysmon"
},
{
"id": 3,
"log": "Sysmon"
}
],
"mitreAttack": [
{
"techniqueId": "T1021.003",
"techniqueName": "Remote Services: Distributed Component Object Model",
"tactics": [
{
"tacticId": "TA0008",
"tacticName": "Lateral Movement"
}
]
},
{
"techniqueId": "T1548",
"techniqueName": "Abuse Elevation Control Mechanism",
"tactics": [
{
"tacticId": "TA0004",
"tacticName": "Privilege Escalation"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Address field — a non-loopback, non-local IP address indicates a Remote activation attempt and is the highest-priority signal for DCOM lateral movement",
"User SID — a privileged account (e.g., SYSTEM, Administrator) should rarely be denied activation; a standard user or service account denied against a high-value CLSID warrants review",
"CLSID/AppID resolution — known attacker-favoured CLSIDs include MMC20.Application ({49B2791A-B1AE-4C90-9B8E-E860BA07F889}), ShellWindows ({9BA05972-F6A8-11CF-A442-00A0C90A8F39}), and ShellBrowserWindow ({C08AFD90-F2A1-11D1-8455-00A0C91F3880})",
"Frequency and process — bulk 10016 events from a single non-system process in a short window indicate automated lateral movement tooling rather than background Windows noise"
],
"commonFalsePositives": [
"Windows system components (Runtime Broker, COM Surrogate) generating 10016 against themselves due to permission misconfiguration on default COM servers — extremely common and typically safe to suppress by CLSID",
"Microsoft Office components activating COM servers across integrity levels",
"Third-party security products that use COM for inter-process communication with insufficient DCOM permissions",
"IIS application pools activating COM servers under a restricted service identity"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/application-management/dcom-errors-troubleshoot"
},
"volumeIndicator": "high",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "param3",
"xpath": "EventData/Data[@Name='param3']",
"description": "CLSID of the COM server the caller attempted to activate; resolve in HKLM\\SOFTWARE\\Classes\\CLSID"
},
{
"name": "param4",
"xpath": "EventData/Data[@Name='param4']",
"description": "AppID of the COM server; resolve in HKLM\\SOFTWARE\\Classes\\AppID"
},
{
"name": "param8",
"xpath": "EventData/Data[@Name='param8']",
"description": "Caller username (domain\\user); unexpected accounts (e.g., standard user on sensitive CLSID) are the primary pivot"
},
{
"name": "param12",
"xpath": "EventData/Data[@Name='param12']",
"description": "Source IP address of the activation request; a non-local IP indicates remote activation and lateral movement attempt"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "DCOM Remote Activation Denied — Lateral Movement Attempt",
"rule": "Event\n| where Source == \"DCOM\"\n| where EventID == 10016\n| parse EventData with * \"from address \" SourceAddress \" running\" *\n| where SourceAddress !startswith \"127.\" and SourceAddress != \"::1\" and SourceAddress != \"Local\"\n| parse EventData with * \"user \" CallerUser \" SID\" *\n| parse EventData with * \"CLSID \" CLSID \"}\" *\n| project TimeGenerated, Computer, CallerUser, SourceAddress, CLSID",
"notes": "Filter on non-local source addresses to eliminate the bulk of Windows-generated noise. The resulting events represent remote activation attempts and should all be reviewed. Cross-reference CLSID against known lateral movement CLSIDs (MMC20.Application, ShellWindows, ShellBrowserWindow)."
},
{
"platform": "Sigma",
"title": "DCOM Remote Activation Denied — Possible Lateral Movement",
"rule": "title: DCOM Remote Activation Denied — Possible Lateral Movement\nstatus: experimental\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n Provider_Name: Microsoft-Windows-DistributedCOM\n EventID: 10016\n filter_local:\n Message|contains:\n - 'from address 127.'\n - 'from address ::1'\n - 'from address Local'\n condition: selection and not filter_local\nfalsepositives:\n - Legitimate remote COM activation from management tools\nlevel: medium\ntags:\n - attack.lateral_movement\n - attack.t1021.003"
}
],
"lastReviewed": "2026-05-10"
},
{
"id": 10028,
"log": "DCOM",
"provider": "Microsoft-Windows-DistributedCOM",
"channel": "System",
"level": "Error",
"title": "DCOM unable to communicate with computer via any known IP",
"summary": "DCOM exhausted all known IP addresses for a remote computer and could not establish a connection, indicating network-level blocking or host unreachability.",
"details": "Logged after DCOM exhausts all known IP addresses for a remote host without successfully establishing a connection. Similar to EID 10009 but explicitly indicates all resolved addresses were tried; both events often appear together. Isolated occurrences indicate offline or decommissioned hosts, while a burst from one source across multiple targets in a short window suggests automated lateral movement.",
"category": "Lateral Movement",
"tags": [
"dcom",
"lateral-movement",
"rpc",
"network",
"reconnaissance"
],
"relatedEventIds": [
{
"id": 10009,
"log": "DCOM"
},
{
"id": 10016,
"log": "DCOM"
},
{
"id": 3,
"log": "Sysmon"
}
],
"mitreAttack": [
{
"techniqueId": "T1021.003",
"techniqueName": "Remote Services: Distributed Component Object Model",
"tactics": [
{
"tacticId": "TA0008",
"tacticName": "Lateral Movement"
}
]
},
{
"techniqueId": "T1018",
"techniqueName": "Remote System Discovery",
"tactics": [
{
"tacticId": "TA0007",
"tacticName": "Discovery"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Target computer name — is this a high-value asset (domain controller, file server, database server)?",
"Burst pattern — more than 3 unique targets within 5 minutes from one source indicates automated scanning or lateral movement tooling",
"Correlation with Sysmon EID 3 on the source host to confirm outbound RPC connection attempts matching the 10028 targets"
],
"commonFalsePositives": [
"Decommissioned servers still referenced in software configuration or DNS",
"Systems temporarily offline during maintenance windows",
"Domain-joined systems trying to reach domain controllers that are unreachable due to network partition"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/application-management/dcom-errors-troubleshoot"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "param1",
"xpath": "EventData/Data[@Name='param1']",
"description": "Target computer name that DCOM could not reach after exhausting all known IP addresses"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "DCOM Scan — Multiple Unreachable Targets from Single Source",
"rule": "Event\n| where Source == \"DCOM\"\n| where EventID == 10028\n| parse EventData with * \"<Data>\" TargetHost \"</Data>\" *\n| summarize TargetCount = dcount(TargetHost), Targets = make_set(TargetHost, 20) by Computer, bin(TimeGenerated, 5m)\n| where TargetCount > 3\n| project TimeGenerated, SourceComputer = Computer, TargetCount, Targets",
"notes": "Adjust the threshold and time window to your environment. In large organisations with extensive SCCM or WMI monitoring, raise the threshold. For workstations, even 2 unique targets in 5 minutes is unusual."
},
{
"platform": "Sigma",
"title": "DCOM All IP Addresses Exhausted — Potential Lateral Movement Scan",
"rule": "title: DCOM All IP Addresses Exhausted — Potential Lateral Movement Scan\nstatus: experimental\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n Provider_Name: Microsoft-Windows-DistributedCOM\n EventID: 10028\n condition: selection\nfalsepositives:\n - Decommissioned or offline systems referenced in software configuration\n - Domain controllers temporarily unreachable\nlevel: low\ntags:\n - attack.lateral_movement\n - attack.t1021.003\n - attack.discovery\n - attack.t1018"
}
],
"lastReviewed": "2026-04-10"
}
]
}