Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Windows DCOM objects (which perform actions on behalf of a remote application or user) are widely accessible on Windows devices by default. Many attack tools, such as Cobalt Strike and Empire, leverage DCOM to compromise devices with the goal of lateral movement. The severity of the attack depends on which devices are compromised and the type of commands that are run.
The system might change the risk score for this detection.
Kill Chain
Risk Score
60
Windows Component Object Model (COM) is a platform-independent standard that specifies how program objects interact within an application. These objects include methods that can perform actions, such as running commands or printing files. Distributed COM (DCOM) enables an application on a local Windows device to interact with COM objects on a remote Windows application. An attacker with administrator privileges can leverage attack tools that interact with DCOM, compromising remote devices to move laterally across the network. For example, mmc20_application is a COM object with an ExecuteShellCommand method, which can accept and run commands on a server. The attacker sends a DCOM request with the malicious command, invoking mmc20_application to run the malicious command with ExecuteShellCommand.
Disable DCOM through Dcomcnfg.exe unless required
Enable COM alerts and Protected View
Block DCOM requests by enabling Windows firewall
Restrict access to COM objects for specific applications by modifying Registry settings in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{{{{AppID_GUID}}}, or restrict access for all COM applications by modifying HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Implement network segmentation, security zones, and firewall policies that limit how devices can communicate
