DCOM

DCOM (Distributed Component Object Model) is an old Microsoft technology for Remote Procedure Calls (via TCP 135) between systems over a network. This DCOM-based lateral movement attack abuses the MMC20.Application COM object to execute arbitrary commands on a remote Windows host if the attacker has administrative privileges on the target. By instantiating this COM object remotely and calling its ExecuteShellCommand method, attackers with administrative privileges can run commands (including reverse shells) on a target system—without writing any files to disk.

This DCOM lateral movement technique leverages the Microsoft Management Console (MMC) COM application, commonly used for automating Windows tasks. Its Application Class exposes the ExecuteShellCommand method via Document.ActiveView, enabling shell command execution by any authorized user—typically local administrators by default.

In our scenario, we have compromised jen on CLIENT74 who is an administrator on FILES04.

# Remotely Instantiate the MMC COM Object
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.118.72"))

The MMC20.Application.1 is the COM class for Microsoft Management Console and 192.168.118.72 is FILES04's IP address.

# Spawn calc.exe on the target
$dcom.Document.ActiveView.ExecuteShellCommand("cmd", $null, "/c calc", "7")

The powershell -EncodedCommand <base64 payload> (-e) method works reliably in DCOM abuse because it avoids issues with quotes, special characters, and command parsing that often occur in remote execution contexts. By encoding the entire payload, it ensures PowerShell decodes and executes it exactly as intended, making it more stable and stealthy than raw or URL-encoded commands.