5890 An object was added to the COM+ Catalog
Written when an object is added to the COM+ Catalog. It captures registration of a new COM+ component and draws attention from the angle of persistence.
Overview
The subcategory is Audit Other Object Access Events. It is generated when a new object (application/component) is added to the COM+ Catalog. It is a COM+ configuration event alongside modification 5888 and deletion 5889.
How it is triggered
- Registration of a new COM+ application/component.
Security review points
- An attacker may register their own COM+ component to have it reside and run under a specific identity (a privileged account) for persistence. Check the added component’s run-as identity, referenced DLL, and registering subject.
- Note COM+ registrations referencing DLLs in temp folders or non-standard paths, and additions by unexpected subjects. Track it together with modification 5888.
Notes for log review
- It also occurs during legitimate app installs. Match the added COM+ app, subject, and referenced DLL against normal patterns.
- Confirm run settings under a high-privilege identity, or registration of unfamiliar DLLs, at high priority.
Key fields
| Field | Meaning |
|---|---|
| Added object | The registered COM+ object |
Subject\Account Name | The subject that performed the addition |