Message

Unable to start a DCOM Server: %3. The error:
"%2"
Happened while starting this command:
%1

Fields

Message

Unable to start a DCOM Server: %3 as %4/%5. The error:
"%2"
Happened while starting this command:
%1

Fields

Sigma Rules

• Local Privilege Escalation Indicator TabTip
  Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

Fields

Fields

Message

DCOM got error "%1" and was unable to logon %2\%3 in order to run the server:
%4

Fields

Message

DCOM got error "%1" attempting to start the service %2 with arguments "%3" in order to run the server:
%4

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-DistributedCOM
  guid: '{1B562E86-B7AA-4131-BADC-B6F3A001407E}'
  event_source_name: DCOM
  event_id: 10005
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2019-04-27T21:04:43.704329Z'
  event_record_id: 9256
  correlation: {}
  execution:
    process_id: 756
    thread_id: 4404
  channel: System
  computer: DESKTOP-JR78RLP
  security:
    user_id: S-1-5-18
event_data:
  param1: '1068'
  param2: netprofm
  param3: Unavailable
  param4: '{A47979D2-C419-11D9-A5B4-001185AD2B89}'

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

DCOM got error "%1" from the computer %2 when attempting to activate the server:
%3

Fields

Fields

Message

DCOM got error "%1" from the computer %2 when attempting to the server:
%3 with file %4.

Fields

Fields

Message

The server %1 did not register with DCOM within the required timeout.

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-DistributedCOM
  guid: '{1B562E86-B7AA-4131-BADC-B6F3A001407E}'
  event_source_name: DCOM
  event_id: 10010
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2023-10-25T22:55:19.214417+00:00'
  event_record_id: 1460
  correlation:
    ActivityID: D5BBEBF4-0795-0001-900E-BCD59507DA01
  execution:
    process_id: 508
    thread_id: 560
  channel: System
  computer: WinDevEval
  security:
    user_id: S-1-5-21-2533829718-189860685-2477588761-500
event_data:
  param1: '{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Fields

Fields

Message

The activation for CLSID %1 failed because remote activations for COM+ are disabled. To enable this functionality use Server Manager to install the COM+ Network Access feature in the Application Server role.

Fields

Message

The machine wide limit settings do not grant %1 %2 permission for the COM Server application with CLSID 
%3
 and APPID 
%4
 to the user %5\%6 SID (%7) from address %8 running in the application container %9 SID (%10). This security permission can be modified using the Component Services administrative tool.

Fields

Message

The %1 permission settings do not grant %2 %3 permission for the COM Server application with CLSID 
%4
 and APPID 
%5
 to the user %6\%7 SID (%8) from address %9 running in the application container %10 SID (%11). This security permission can be modified using the Component Services administrative tool.

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-DistributedCOM
  guid: '{1B562E86-B7AA-4131-BADC-B6F3A001407E}'
  event_source_name: DCOM
  event_id: 10016
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2023-11-05T23:54:13.816805+00:00'
  event_record_id: 2034
  correlation:
    ActivityID: E4DB489E-1037-0003-B8CC-E0E43710DA01
  execution:
    process_id: 8
    thread_id: 10920
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  param1: application-specific
  param2: Local
  param3: Activation
  param4: '{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}'
  param5: '{15C20B67-12E7-4BB6-92BB-7AFF07997402}'
  param6: WINDEV2310EVAL
  param7: User
  param8: S-1-5-21-1992711665-1655669231-58201500-1000
  param9: LocalHost (Using LRPC)
  param10: Unavailable
  param11: Unavailable
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The %1 permission settings do not grant %2 access permission to the COM Server application %3 with APPID 
%4
 to the user %5\%6 SID (%7) from address %8 running in the application container %9 SID (%10). This security permission can be modified using the Component Services administrative tool.

Fields

Message

The application-specific permission settings do not grant %1 access permission to the COM Server application %2 with APPID 
%3
 to the user %4\%5 SID (%6) from address %7 running in the application container %8 SID (%9). The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields

Message

The machine wide limit settings do not grant %1 access permission to the COM Server application %2 with APPID 
%3
 to the user %4\%5 SID (%6) from address %7 running in the application container %8 SID (%9). This security permission can be modified using the Component Services administrative tool.

Fields

Message

The machine wide %1 %2 security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields

Message

The launch and activation security descriptor for the COM Server application with APPID 
%1
 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields

Message

The %1 access security descriptor for the COM Server application %2 with APPID 
%3
 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields

Message

The application-specific access security descriptor for the COM Server application %1 with APPID 
%2
 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed.  The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields

Message

The machine wide group policy %1 Limits security descriptor is invalid. The security descriptor is defined as an invalid Security Descriptor Definitions Language (SDDL) string. The requested action was therefore not performed. Please contact your administrator to get the security descriptor corrected in the Group Policy settings.

Fields

Fields

Message

The machine wide limit settings do not grant %1 %2 permission for COM Server applications to the user %3\%4 SID (%5) from address %6 running in the application container %7 SID (%8). This security permission can be modified using the Component Services administrative tool.

Fields

Message

DCOM was unable to communicate with the computer %1 using any of the configured protocols; requested by PID %2 (%3), while activating CLSID %4.

Fields

Message

The activation of the CLSID %1 timed out waiting for the service %2 to stop.

Fields

Message

Unable to start a COM Server for debugging: %3. The error:
"%2"
Happened while starting this command:
%1

Fields

Message

An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class %1 was rejected

Fields

Message

An unmarshaling policy check was performed when unmarshaling a custom inproc handler and the class %1 was rejected

Fields

Message

An unmarshaling policy check was performed when unmarshaling a COM+ envoy context property and the class %1 was rejected

Fields

Message

An unmarshaling policy check was performed due to CLSCTX_NO_CUSTOM_MARSHAL and the class %1 was rejected

Fields

Message

The COM standard marshaler was unable to fix a mismatch between the IID %1 provided by the server and the IID %2 requested by the client, with handler CLSID %3. The error code was %4.

Fields

Message

The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

Fields

Message

Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with explicitly set authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.

Fields

Message

Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with default activation authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.

Fields

Message

The COM sub system is suppressing duplicate event log entries for a duration of %1 seconds.  The suppression timeout can be controlled by a REG_DWORD value named %2 under the following registry key: HKLM\%3.

Fields

Message

Unable to start a DCOM Server: {param3}. The error:'{param2}'Happened while starting this command:{param1}

Fields

Message

Unable to start a DCOM Server: {param3} as {param4}/{param5}. The error:'{param2}'Happened while starting this command:{param1}

Fields

Message

Access denied attempting to launch a DCOM Server. The server is:
%1
The user is %2/%3, SID=%4.

Fields

Message

Access denied attempting to launch a DCOM Server using DefaultLaunchPermssion. The server is:
%1
The user is %2/%3, SID=%4.

Fields

Message

DCOM got error '{param1}' and was unable to logon {param2}\{param3} in order to run the server:{param4}

Fields

Message

DCOM got error '{param1}' attempting to start the service {param2} with arguments '{param3}' in order to run the server:{param4}

Fields

Message

DCOM got error '{param1}' from the computer {param2} when attempting to activate the server:{param3}

Fields

Message

DCOM got error "%1" when attempting to activate the server:
%2

Fields

Message

DCOM got error '{param1}' from the computer {param2} when attempting to the server:{param3} with file {param4}.

Fields

Message

DCOM was unable to communicate with the computer %1 using any of the configured protocols.

Fields

Message

The server {param1} did not register with DCOM within the required timeout.

Fields

Message

The server %1 could not be contacted to establish the connection to the client

Fields

Message

There is an assertion failure in DCOM.  Context follows: %1 %2 %3

Fields

Message

The activation for CLSID {param1} failed because remote activations for COM+ are disabled. To enable this functionality use Server Manager to install the COM+ Network Access feature in the Application Server role.

Fields

Message

The machine wide limit settings do not grant {param1} {param2} permission for the COM Server application with CLSID {param3} and APPID {param4} to the user {param5}\{param6} SID ({param7}) from address {param8}. This security permission can be modified using the Component Services administrative tool.

Fields

Message

The {param1} permission settings do not grant {param2} {param3} permission for the COM Server application with CLSID {param4} and APPID {param5} to the user {param6}\{param7} SID ({param8}) from address {param9}. This security permission can be modified using the Component Services administrative tool.

Fields

Message

The {param1} permission settings do not grant {param2} access permission to the COM Server application {param3} with APPID {param4} to the user {param5}\{param6} SID ({param7}) from address {param8}. This security permission can be modified using the Component Services administrative tool.

Fields

Message

The application-specific permission settings do not grant {param1} access permission to the COM Server application {param2} with APPID {param3} to the user {param4}\{param5} SID ({param6}) from address {param7}. The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields

Message

The machine wide limit settings do not grant {param1} access permission to the COM Server application {param2} with APPID {param3} to the user {param4}\{param5} SID ({param6}) from address {param7}. This security permission can be modified using the Component Services administrative tool.

Fields

Message

The machine wide {param1} {param2} security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields

Message

The launch and activation security descriptor for the COM Server application with APPID {param1} is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields

Message

The {param1} access security descriptor for the COM Server application {param2} with APPID %3 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields

Message

The application-specific access security descriptor for the COM Server application {param1} with APPID %2 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed.  The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields

Message

The machine wide group policy {param1} Limits security descriptor is invalid. The security descriptor is defined as an invalid Security Descriptor Definitions Language (SDDL) string. The requested action was therefore not performed. Please contact your administrator to get the security descriptor corrected in the Group Policy settings.

Fields

Message

The machine wide limit settings do not grant {param1} {param2} permission for COM Server applications to the user {param3}\{param4} SID ({param5}) from address {param6}. This security permission can be modified using the Component Services administrative tool.

Fields

Message

DCOM  started the service {param1} with arguments '{param2}' in order to run the server:{param3}

Fields

Message

The COM standard marshaler was unable to fix a mismatch between the IID {ProvidedIid} provided by the server and the IID {RequestedIid} requested by the client; with handler CLSID {HandlerClsid}. The error code was {HRESULT}.

Fields