Common Information
| Type | Value |
|---|---|
| Value |
Distributed Component Object Model - T1021.003 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM) Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL) Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2023-08-03 | 37 | 2022 Top Routinely Exploited Vulnerabilities | CISA | ||
| Details | Website | 2023-07-02 | 10 | UUID Specifications | ||
| Details | Website | 2023-06-28 | 7 | Buffer Overrun In RPC Interface Allows Code Execution. | ||
| Details | Website | 2023-05-18 | 0 | Windows Event Analysis: Unlocking the Hidden Insights in Event Logs | ||
| Details | Website | 2023-05-04 | 68 | Royal Ransomware: How Darktrace Contained One of the Most Prolific Ransomware Strains - Darktrace Blog | ||
| Details | Website | 2023-03-02 | 199 | Russia/Ukraine Update - February 2023 | ||
| Details | Website | 2023-02-22 | 22 | WMI Subscription Utilization Analysis Summary | ||
| Details | Website | 2023-02-16 | 10 | Malware authors leverage more attack techniques that enable lateral movement | ||
| Details | Website | 2022-12-20 | 133 | Russia/Ukraine Update - December 2022 | ||
| Details | Website | 2022-12-13 | 9 | December Patch Tuesday update for Windows 11 22H2 (KB5021255) and 21H2 (KB5021234) out now | ||
| Details | Website | 2022-12-01 | 1 | Microsoft releases KB5020044 update for Windows 11 -- before revealing that it breaks Task Manager | ||
| Details | Website | 2022-11-30 | 1 | Microsoft offers optional update KB5020044: fixes Windows 11 22H2 gaming performance | ||
| Details | Website | 2022-11-30 | 1 | Windows 11 22H2 KB5020044 finally fixes gaming performance issues, adds Moment 2 features | ||
| Details | Website | 2022-11-29 | 132 | Russia/Ukraine Update - November 2022 | ||
| Details | Website | 2022-09-30 | 98 | A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion | ||
| Details | Website | 2022-04-27 | 28 | 2021 Top Routinely Exploited Vulnerabilities | CISA | ||
| Details | Website | 2022-03-01 | 65 | IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine | WeLiveSecurity | ||
| Details | Website | 2020-12-14 | 220 | Carbanak/ FIN7 Crime Gang Threat Intel Advisory | Threat Intelligence | CloudSEK | ||
| Details | Website | 2020-09-17 | 5 | I Like to Move It: Windows Lateral Movement Part 2 - DCOM - MDSec | ||
| Details | Website | 2018-05-09 | 3 | No Win32_Process Needed – Expanding the WMI Lateral Movement Arsenal | ||
| Details | Website | 2018-04-28 | 13 | Abusing DCOM For Yet Another Lateral Movement Technique | ||
| Details | Website | 2018-01-25 | 14 | New lateral movement techniques abuse DCOM technology | ||
| Details | Website | 2017-11-16 | 7 | Lateral Movement Using Outlook’s CreateObject Method and DotNetToJScript | ||
| Details | Website | 2017-01-05 | 3 | Lateral Movement using the MMC20.Application COM Object |