A remote DCOM invocation by a privileged account using RPC (port 135), followed by abnormal process instantiation or module loading on the remote system indicative of code execution.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 (LogonType=3) |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| TimeWindow | Correlate RPC activity with remote process creation within a configurable time window (e.g., 300s) |
| UserContext | Identify rare or first-time DCOM invocations by specific accounts |
| ProcessName | List of suspicious executables commonly abused via DCOM (e.g., excel.exe, wmiprvse.exe) |
| RemoteHostList | Known set of systems that should or should not be invoking DCOM activity |