5888 An object in the COM+ Catalog was modified

Written when an object in the COM+ Catalog is modified. It captures configuration changes to COM+ applications and draws attention from the angle of persistence and privilege abuse.

Overview

The subcategory is Audit Other Object Access Events. It is generated when an object registered in the COM+ (a mechanism that registers and runs components as server applications) Catalog is modified.

How it is triggered

Configuration changes to a COM+ application or component (changes to the run-as identity, registered DLL, permissions, etc.).

Security review points

A COM+ component can run under a specific identity (often a privileged account). An attacker may rewrite a COM+ object to run malicious code or have it reside with high privilege (persistence). Check the change content (run-as identity, referenced DLL).
Together with addition 5890 and deletion 5889, track COM+ configuration changes. Note changes by unexpected subjects.

Notes for log review

It also occurs during legitimate app installs/updates. Match the changed COM+ app and subject against normal patterns.
Note elevation of the run-as identity or references to unfamiliar DLLs.

Key fields

Field	Meaning
Target object	The modified COM+ object
`Subject\Account Name`	The subject that made the change

References

Microsoft Learn: 5888(S) An object in the COM+ Catalog was modified.