DET0285 Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution

Item	Value
ID	DET0285
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1021.003 (Distributed Component Object Model)

Analytics

Windows

AN0791

A remote DCOM invocation by a privileged account using RPC (port 135), followed by abnormal process instantiation or module loading on the remote system indicative of code execution.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
TimeWindow	Correlate RPC activity with remote process creation within a configurable time window (e.g., 300s)
UserContext	Identify rare or first-time DCOM invocations by specific accounts
ProcessName	List of suspicious executables commonly abused via DCOM (e.g., excel.exe, wmiprvse.exe)
RemoteHostList	Known set of systems that should or should not be invoking DCOM activity