What is DCOM?

<aside> ℹ️ The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE (compound documents), ActiveX (Internet-enabled components), as well as others.

</aside>

DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer just like objects on the local machine using the DCERPC-based DCOM protocol. Information about the identity, the implementation and the configuration of every COM (and DCOM) object is stored in the registry, and associated with a few important identifiers:

• CLSID - The Class Identifier is a GUID, which acts as a unique identifier for a COM class, and every class registered in Windows is associated with a CLSID. The CLSID key in the registry points to the implementation of the class, using the InProcServer32 subkey in case of a dll-based object, and the LocalServer32 key in case of an exe.
• ProgID - The Programmatic Identifier is an optional identifier, which can be used as a more user-friendly alternative to a CLSID, as it does not have to adhere to the intimidating GUID format of CLSIDs ("System.AppDomainManager", for example, is much easier on the eyes than a GUID). ProgIDs are not guaranteed to be unique, and unlike CLSID, not every class is associated with a ProgID.
• AppID  - The Application Identifier is used to specify the configuration of one or more COM objects associated with the same executable. This includes the permissions given to various groups to instantiate and access the associated classes, both locally and remotely.

<aside> ⚠️ To make a COM object accessible by DCOM, an AppID must be associated with the CLSID of the class and appropriate permissions need to be given to the AppID. A COM object without an associated AppID cannot be directly accessed from a remote machine.

</aside>

The instantiation of a remote DCOM object behaves as follows:

1. The client machine requests an instantiation of an object denoted by a CLSID from a remote machine. If the client uses a ProgID, it is first resolved locally to a CLSID.
2. The remote machine (server application) checks if there is an AppID associated with the CLSID in question, and verifies the permissions of the client.
3. If all goes well, the DCOMLaunch service creates an instance of the requested class, most commonly by running the executable of the LocalServer32 subkey, or by creating a DllHost process to host a dll referenced by the InProcServer32 subkey.
4. Communication is established between the client application and the server process. In most cases, the new process is created in the session associated with the DCOM communication.
5. The client is then able to access the members and methods of the newly created object.

DCOM is integrated into the Windows OS and allows for many Windows services communicate – like Microsoft Management Console (MMC) or Microsoft Office products.

Lateral Movements

MMC20.APPLICATION

What is

The MMC Application Class (MMC20.Application) COM object allows you to script components of MMC snap-in operations. There is a method named ExecuteShellCommand under Document.ActiveView: