DET0285: Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution
DET0285 is a detection strategy for spotting DCOM-based remote code execution through multiple related events. Its business value is that DCOM abuse is tie...
Analyst context for executives and security teams
DET0285 is a detection strategy for spotting DCOM-based remote code execution through multiple related events. Its business value is that DCOM abuse is tied to lateral movement on Windows systems using valid accounts, so single-event alerts may miss the operational story: an account, a remote host interaction, and resulting execution need to be evaluated together.
Executive priority
Prioritize this as a Windows lateral-movement coverage question: can the organization prove it can see and investigate valid-account activity that moves from one machine to another through DCOM? This matters for incident scoping, privileged access risk, audit evidence around monitoring, and resilience of critical Windows-hosted services. Because ATT&CK provides no official detection text for this strategy, leaders should ask for evidence of telemetry coverage and tested correlation logic rather than assuming coverage from tool ownership alone.
Technical view
This detection strategy detects ATT&CK T1021.003, Distributed Component Object Model, a Windows lateral-movement technique where adversaries may use valid accounts to interact with remote machines and perform actions as the logged-on user. SOC and detection engineering teams should validate multi-event correlation across account use, remote DCOM/RPC-style host interaction, and subsequent execution or activity on the destination system. IR teams should treat correlated source host, destination host, account, and resulting process/activity context as core scoping data.
Likely telemetry
- Windows endpoint activity from source and destination hosts
- Authentication and valid-account logon evidence
- Remote host interaction evidence associated with DCOM/RPC behavior
- Process execution or child activity on the destination system
- Asset and identity context for account privilege, host role, and expected administration patterns
Detection direction
- Validate that detections correlate multiple events rather than relying only on one network connection, one logon, or one process event.
- Tune against known administrative workflows, since legitimate Windows administration may also use valid accounts and remote component interaction.
- Confirm visibility on both the initiating host and destination host; one-sided telemetry can weaken confidence and incident scoping.
- Prioritize context for privileged or unusual accounts, unexpected source-destination pairs, and activity on sensitive Windows systems.
- Document gaps clearly because the ATT&CK object supplies no official detection logic or platform field beyond the related Windows technique.
Mitigation priorities
- Strengthen identity controls for valid accounts that can administer or interact with remote Windows systems.
- Review and limit where remote DCOM-related administration is required, especially for sensitive servers and workstations.
- Ensure endpoint, authentication, and network telemetry needed for multi-event correlation is retained and searchable.
- Use incident response playbooks that rapidly map account, source host, destination host, and resulting activity when suspected lateral movement appears.
- Maintain audit-ready evidence showing which Windows segments and privileged accounts are covered by monitoring and which require compensating controls.
Analyst notes and limits
The key decision value is not that DCOM exists, but whether defenders can connect account use, remote Windows interaction, and resulting activity into a reliable lateral-movement story. This strategy should be evaluated as part of managed detection, identity monitoring, and incident response readiness for Windows environments.
The supplied ATT&CK object has no official description, no official detection text, no tactics, and no platforms specified on the detection strategy itself. The Windows and lateral-movement context comes from the related technique T1021.003. Local telemetry, architecture, administrative practices, and control evidence are required to turn this into a validated detection.
Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1021.003 | Distributed Component Object Model Sub-technique | This object detects Distributed Component Object Model. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b4e8d8302083… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0285Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.