Lateral Movement · Term

What is DCOM lateral movement?

DCOM lets Windows programs invoke objects on remote machines. Several of those objects expose methods that run commands, giving attackers a less-watched lateral-movement path. Here is what it is and how it is abused.

Lateral Movement · TermAll services
TL;DR

DCOM (Distributed Component Object Model) lets a program on one Windows machine instantiate and call COM objects on another. Some exposed objects, such as MMC20.Application, ShellWindows, and ShellBrowserWindow, have methods that execute shell commands, so an attacker with admin rights can run code on a remote host through DCOM. It is a less-monitored lateral-movement path than PsExec or WMI, driven from PowerShell with the target’s ProgID/CLSID.

By John Dill, Red Team Lead, SecureLayer7Updated

What DCOM is

COM is the Windows model for software components to call each other; DCOM extends that across the network, so a program can create and use a COM object on a remote machine.

Many COM objects are harmless, but a handful expose methods that ultimately run a command (for example MMC20.Application has a method that executes via the Microsoft Management Console). An attacker with administrative access to the remote machine can reach those objects over DCOM and trigger execution, a quieter alternative to mainstream tools.

The abuse and payload

From a machine with admin rights to the target, the attacker instantiates a command-capable DCOM object remotely:

  • MMC20.Application: $c=[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.0.0.5")); $c.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c calc.exe","7")
  • ShellWindows / ShellBrowserWindow expose similar Document.Application.ShellExecute paths via their CLSID.

No new service is created and execution comes through DCOM, so it evades detections focused on PsExec or WMI. Documented techniques shown for defenders.

How to defend

  • Restrict DCOM with the firewall and DCOM/COM security settings so only management hosts can reach it.
  • Limit local-administrator rights and use LAPS, since DCOM execution still needs admin on the target.
  • Harden or disable risky DCOM objects where feasible.
  • Monitor for remote instantiation of command-capable DCOM objects (MMC20.Application, ShellWindows) and child processes spawned by them.
  • Reduce NTLM and enforce strong authentication.

References

  1. [1]MITRE ATT&CK: Lateral Movement (TA0008)(MITRE)
  2. [2]Microsoft: Distributed COM (DCOM)(Microsoft)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Lateral movement, asked often

Want your network tested for these paths?

Scope an engagement

Find the lateral-movement paths before an attacker does.

We run internal and network penetration tests that follow the real route from one compromised host across your network, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.