DCOM
The Distributed Component Object Model (DCOM) enables remote procedure calls over TCP port 135, allowing COM objects to be instantiated and controlled across systems. Despite its age, it remains enabled in many enterprise environments and can be leveraged for fileless lateral movement when administrative access to the target host is available.
One effective technique abuses the MMC20.Application
COM class, which corresponds to the Microsoft Management Console (MMC). This object exposes a method—ExecuteShellCommand
—through Document.ActiveView
, which permits execution of arbitrary commands on the remote host. When instantiated remotely from a compromised system, the attacker can trigger command execution without dropping files or triggering obvious telemetry.
Using powershell -EncodedCommand <b64-payload>
mitigates parsing issues often encountered in remote execution, ensuring reliable delivery of complex payloads while avoiding quote escaping and special character handling errors.
# Remotely instantiate the MMC COM Object
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.118.72"))
# Test RCE on the target
$dcom.Document.ActiveView.ExecuteShellCommand("cmd", $null, "/c calc", "7")
Last updated
Was this helpful?