AN0791: Analytic 0791
A remote DCOM invocation by a privileged account using RPC (port 135), followed by abnormal process instantiation or module loading on the remote system indicative of code execution.
Analyst context for executives and security teams
This analytic matters because remote DCOM activity by a privileged account can represent a high-consequence path to code execution on a Windows system. For leaders, the value is not just detecting one protocol event; it is validating whether the organization can connect identity use, RPC/DCOM network activity, and suspicious process or module behavior on the destination host quickly enough to support containment decisions.
Executive priority
Prioritize this as a Windows privileged-access and incident-readiness question: do security teams have evidence that privileged remote execution paths are monitored, investigated, and governed? The business risk is elevated because the described behavior combines privileged identity use with remote code execution indicators. Executives should ask whether SOC and IR teams can identify the account used, the source and destination systems, the process or module activity created remotely, and whether privileged account activity over RPC is explainable by approved administration.
Technical view
Validate coverage for Windows environments where DCOM/RPC traffic on port 135 is permitted. The analytic describes a sequence: remote DCOM invocation by a privileged account using RPC, followed by abnormal process instantiation or module loading on the remote system. SOC teams should test whether they can correlate network connection evidence, authentication or account context, and endpoint process/module telemetry on the destination host. Because no official detection logic is provided, local baselining is required to distinguish approved administration and management tooling from unusual remote execution patterns.
Likely telemetry
- Windows endpoint process creation events on the remote system
- Windows module or image load telemetry on the remote system
- Network telemetry showing RPC/DCOM activity, including port 135, source, and destination
- Authentication or logon telemetry identifying the privileged account involved
- Asset and administrative-tool context to determine whether the source host and account are expected to perform remote DCOM activity
Detection direction
- Confirm telemetry can correlate privileged account activity, RPC/DCOM network use, and destination-host process or module behavior within a useful investigation window.
- Baseline legitimate Windows administration, management, and automation activity that may use DCOM/RPC to reduce false positives.
- Tune for abnormal process instantiation or module loading on the remote system rather than treating port 135 traffic alone as sufficient evidence.
- Review blind spots where endpoint logging is absent on servers, privileged account context is not captured, or east-west RPC traffic is not visible.
- Because no ATT&CK relationship context or official detection query is supplied, avoid assuming tactic, technique coverage, or threat attribution from this analytic alone.
Mitigation priorities
- Restrict privileged account use to approved administrative workflows and systems.
- Limit RPC/DCOM exposure where business operations allow, especially unnecessary lateral Windows administrative paths.
- Ensure endpoint logging for process creation and module loading is enabled on critical Windows systems.
- Maintain asset and account ownership context so SOC teams can quickly decide whether privileged remote activity is expected.
- Use incident response playbooks that include validation of the initiating account, source host, destination host, and resulting process/module activity.
Analyst notes and limits
AN0791 is a detection analytic for Windows describing remote DCOM invocation by a privileged account over RPC port 135 followed by abnormal process or module behavior on the remote host. It is useful as a coverage-validation prompt for managed detection, IR readiness, privileged access governance, and Windows lateral-movement monitoring, but it does not provide a detection query, tactic mapping, technique relationship, or adversary context.
The supplied ATT&CK fields include no official detection logic, no tactics, and no relationship context. This take therefore cannot assert specific ATT&CK technique coverage, active exploitation, attribution, or guaranteed detection. Local environment baselines and telemetry quality determine practical usefulness.
Analytic 0791
A remote DCOM invocation by a privileged account using RPC (port 135), followed by abnormal process instantiation or module loading on the remote system indicative of code execution.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 04df3bea6650… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0791Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.