# Fileless Lateral Movement With Trapped COM Objects

Fileless lateral movement techniques are increasingly popular among attackers due to their stealthiness. IBM X-Force Red researchers, including Dylan Tran and Jimmy Bayne, discovered a method leveraging trapped COM objects for lateral movement without dropping files on disk.

How It Works

COM (Component Object Model) objects are Microsoft’s framework for enabling inter-process communication. Attackers can abuse COM objects to execute malicious code in memory, avoiding traditional file-based detection.

Key Steps:

1. Identify Vulnerable COM Objects:

Use tools like OleView or PowerShell to enumerate COM objects.
Search for objects marked as “Trapped” or misconfigured.

2. Lateral Movement via DCOM:

Use DCOM (Distributed COM) to trigger execution on a remote machine.

Example PowerShell command:

$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "target-ip")) 
$com.Run("malicious_payload")

3. Memory Execution:

Leverage PowerShell Reflection or C#’s Assembly.Load to execute payloads directly in memory.

You Should Know:

Detection & Mitigation

Monitor DCOM Activation:

Get-WinEvent -LogName "Microsoft-Windows-DCOM/Operational" | Where-Object { $_.ID -eq 10001 }

Restrict COM Permissions:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Ole" -Name "MachineLaunchRestriction" -Value (New-Object System.Security.AccessControl.RegistrySecurity)

Forensic Investigation

Check WMI and COM logs:

Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational"

Use Sysmon (Event ID 10: ProcessAccess) to detect suspicious COM interactions.

Red Team Simulation

Use SharpCOM (C# tool for COM exploitation):

SharpCOM.exe -m lateral -c "malicious_command" -t 192.168.1.100

What Undercode Say:

Fileless attacks are evolving, and defenders must adapt by monitoring DCOM, WMI, and PowerShell usage. Implementing application whitelisting (AppLocker) and constrained PowerShell can help mitigate such threats.