Description
Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)
Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)
Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with Windows Management Instrumentation. (Citation: MSDN WMI)
Network Pentesting Methodology
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (4)
Disable or Remove Feature or ProgramM1042
Consider disabling DCOM through Dcomcnfg.exe.(Citation: Microsoft Disable DCOM)
Application Isolation and SandboxingM1048
Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)
Network SegmentationM1030
Enable Windows firewall, which prevents DCOM instantiation by default.
Privileged Account ManagementM1026
Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{{AppID_GUID}} associated with the process-wide security of individual COM applications.(Citation: Microsoft Process Wide Com Keys)
Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole associated with system-wide security defaults for all COM
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can utilize <code>Invoke-DCOM</code> to leverage remote COM execution for lateral movement.(Citation... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can use `System` namespace methods to execute lateral movement using DCOM.(Citation: GitHub S... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can deliver Beacon payloads for lateral movement by leveraging remote COM execution.(Citation... |
References
- Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.
- Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.
- Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.
- Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.
- Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
- Nelson, M. (2017, January 23). Lateral Movement via DCOM: Round 2. Retrieved November 21, 2017.
- Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.
- Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.
- Nelson, M. (2017, September 11). Lateral Movement using Excel.Application and DCOM. Retrieved November 21, 2017.
- Tsukerman, P. (2017, November 8). Leveraging Excel DDE for lateral movement via DCOM. Retrieved November 21, 2017.
Frequently Asked Questions
What is T1021.003 (Distributed Component Object Model)?
T1021.003 is a MITRE ATT&CK technique named 'Distributed Component Object Model'. It belongs to the Lateral Movement tactic(s). Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may the...
How can T1021.003 be detected?
Detection of T1021.003 (Distributed Component Object Model) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1021.003?
There are 4 documented mitigations for T1021.003. Key mitigations include: Disable or Remove Feature or Program, Application Isolation and Sandboxing, Network Segmentation, Privileged Account Management.
Which threat groups use T1021.003?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.