EN, Security Boulevard

Lateral Movement: Abuse the Power of DCOM Excel Application

In this post, we will talk about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed component object model (DCOM) Excel application. This technique is built upon Matt Nelson’s initial research on “Lateral Movement using Excel.Application and DCOM”.

What is DCOM?

DCOM is a Microsoft solution that allows software components to communicate remotely. Its predecessor, component object model (COM), lacked distributed computing functionality, so Microsoft introduced DCOM to serve the need of software components to communicate across the network. Basically, DCOM allows a client application to remotely instantiate a COM server object on another machine and utilize its methods. It operates on top of the remote procedure call (RPC) transport protocol based on TCP/IP for its network communications; specifically, it uses the ncacn_ip_tcp protocol sequence, where:

  • ncacn stands for “Connection-Oriented Network Computing Architecture.”
  • ip_tcp specifies the use of TCP/IP.

In practical terms, when you see this protocol sequence, it indicates that RPC is using TCP/IP for network communications in a connection-oriented manner.

How does COM work?

COM objects must be configured properly on both client and server. The Windows Registry stores the DCOM configuration data in three identifiers:

  • CLSID — The class identifier (CLSID) is a global unique identifier (GUID) which represents a unique ID for any application components in Windows; an example of CLSID is “{00020812–0000–0000-C000–000000000046}”
  • ProgID — The program identifier (ProgID) is an optional identifier registry entry which is linked to CLSID; unlike CLSID, ProgID is not a complex GUID format but a human readable format like “Excel.Application”
  • APPID — The application identifier (AppID) identifies all the classes that are part of the same executable and the permissions required to access it; it will most likely throw an error if the correct AppID is not used

The basic flow of communication is like this:

Figure 01 — DCOM flow over the netwo

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Security Boulevard

Read the original article: