Skip to content
Threat Feed
high advisory

Incoming DCOM Lateral Movement with MMC

Detection of Distributed Component Object Model (DCOM) abuse to execute commands remotely via the MMC20 Application COM object, potentially indicating lateral movement.

This rule identifies the use of Distributed Component Object Model (DCOM) for remote command execution, specifically leveraging the MMC20 Application COM object. Attackers may abuse DCOM applications to move laterally within a network. The detection focuses on incoming network connections to Windows hosts where mmc.exe is running and subsequently spawns child processes. This technique, known since at least 2017, can bypass traditional security controls and provides a stealthy way to execute commands on remote systems. The Elastic rule ID for this behavior is 51ce96fb-9e52-4dad-b0ba-99b54440fc9a, last updated on 2026/05/03.

Attack Chain

  1. An attacker compromises a system and seeks to move laterally.
  2. The attacker uses DCOM to initiate a connection to a remote Windows host. The connection targets mmc.exe via high ports (>= 49152) using TCP.
  3. The target mmc.exe receives the incoming DCOM connection.
  4. The MMC20 Application COM object is used to execute a command.
  5. mmc.exe spawns a child process to execute the command. This child process could be cmd.exe, PowerShell, or another executable.
  6. The child process performs malicious actions, such as reconnaissance, privilege escalation, or data exfiltration.
  7. The attacker may establish persistence or move to other systems in the network.

Impact

Successful exploitation allows attackers to execute arbitrary commands on remote systems, potentially leading to data theft, system compromise, and further lateral movement. This can affect all Windows systems within an organization if DCOM is not properly secured. The impact can range from minor data breaches to complete network compromise, depending on the attacker’s objectives and the privileges of the compromised accounts.

Recommendation

  • Enable Sysmon process creation and network connection logging to capture the necessary events (Sysmon Event ID 1 and 3) to trigger the rules below.
  • Deploy the Sigma rules below to your SIEM and tune for your environment.
  • Restrict DCOM/RPC between workstations to prevent unauthorized lateral movement.
  • Monitor network connections to mmc.exe processes, especially those originating from unusual source IPs or ports.
  • Review and restrict Microsoft Management Console inbound access to only authorized administrators and systems.

Detection coverage 2

Detect Incoming DCOM Lateral Movement with MMC Child Process

high

Detects DCOM lateral movement attempts by identifying incoming network connections to mmc.exe followed by the creation of a child process.

sigma tactics: lateral_movement techniques: T1021 sources: process_creation, windows

Detect Incoming DCOM Network Connection to MMC

medium

Detects DCOM lateral movement attempts by identifying incoming network connections to mmc.exe on high ports.

sigma tactics: lateral_movement techniques: T1021 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →