Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Company
Platform
Modern NDR
Resources
Company
DETECTION OVERVIEW
Risk Factors
Windows DCOM objects (which perform actions on behalf of a remote application or user) are widely accessible on Windows devices by default. Many attack tools, such as Cobalt Strike and Empire, leverage DCOM to compromise devices with the goal of lateral movement. The severity of the attack depends on which devices are compromised and the type of commands that are run.
The system might change the risk score for this detection.
Category
Windows Component Object Model (COM) is a platform-independent standard that specifies how program objects interact within an application. These objects include methods that can perform actions, such as running commands or printing files. Distributed COM (DCOM) enables an application on a local Windows device to interact with COM objects on a remote Windows application. An attacker with administrator privileges can leverage attack tools that interact with DCOM, compromising remote devices to move laterally across the network. For example, mmc20_application is a COM object with an ExecuteShellCommand method, which can accept and run commands on a server. The attacker sends a DCOM request with the malicious command, invoking mmc20_application to run the malicious command with ExecuteShellCommand.
Disable DCOM through Dcomcnfg.exe unless required
Enable COM alerts and Protected View
Block DCOM requests by enabling Windows firewall
Restrict access to COM objects for specific applications by modifying Registry settings in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{{{{AppID_GUID}}}, or restrict access for all COM applications by modifying HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Implement network segmentation, security zones, and firewall policies that limit how devices can communicate
Network analysis and visibility solutions remain underrepresented in enterprises. Find out why in this preview of a new Wave report.
ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response
Visit this resource for more information.
This analysis exposes the critical link between an organization's lack of internal visibility and the escalating cost of compromise, demanding an urgent re-evaluation of how core business assets are protected.
Learn why you need to be wary of the claims certain network detection and response providers make about their coverage against the MITRE ATT&CK framework.
Learn how NDR from RevealX helps security teams detect and investigate more adversary TTPs in the MITRE ATT&CK framework than rule-based tools.
