search

Lateral Movement via DCOM

Lateral Movement via Distributed Component Object Model

The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE (compound documents), ActiveX (Internet-enabled components), as well as others.

https://docs.microsoft.com/en-us/windows/desktop/com/the-component-object-modelarrow-up-right

This lab explores a DCOM lateral movement technique using MMC20.Application COM as originally researched by @enigma0x3 in his blog post Lateral Movement using the mmc20.application Com Objectarrow-up-right

hashtag
Execution

MMC20.Application COM class is stored in the registry as shown below:

Same can be achieved with powershell:

Establishing a connection to the victim host:

Executing command on the victim system via DCOM object:

Below shows the command execution and the result of it - remote machine's hostname command output is written to c:\fromdcom.txt:

hashtag
Observations

Once the connection from an attacker to victim is established using the below powershell:

This is what happens on the victim system - svchost spawns mmc.exe which opens a listening port via RPC binding:

A network connection is logged from 10.0.0.7 (attacker) to 10.0.0.2 (victim) via offense\administrator (can be also seen from the above screenshot):

hashtag
References

LogoLateral Movement using the MMC20.Application COM Objectenigma0x3chevron-right
LogoView ExecuteShellCommand methodMicrosoftLearnchevron-right
LogoType.GetTypeFromCLSID Method (System)MicrosoftLearnchevron-right
LogoCOM Technical Overview - Win32 appsMicrosoftLearnchevron-right
https://attack.mitre.org/wiki/Technique/T1175attack.mitre.orgchevron-right
PreviousShared WebrootNextWMI + MSI Lateral Movement

Last updated