Distributed Component Object Model

Information

• Name: Distributed Component Object Model

• ID: T1021.003

• Tactics: TA0008

• Technique: T1021

Introduction

Distributed Component Object Model (DCOM) [T1021.003] is a sub-technique within the MITRE ATT&CK framework under the "Remote Services" technique (T1021). It involves adversaries leveraging Microsoft's DCOM technology to execute code remotely and laterally move across networks. DCOM is an extension of the Component Object Model (COM) that enables communication between software components distributed across networked computers. Attackers exploit DCOM to gain access, execute arbitrary commands, and maintain persistence within compromised networks.

Deep Dive Into Technique

Distributed Component Object Model (DCOM) is a proprietary Microsoft technology that allows software components to communicate across networked systems. It extends the COM model to allow remote procedure calls (RPC) and object interactions over a network.

Attackers exploiting DCOM typically use native Windows utilities or custom scripts to perform remote command execution. Key technical mechanisms and methods include:

• Remote Procedure Calls (RPC):

  • DCOM relies on RPC for inter-process and inter-system communication.

  • Attackers exploit RPC interfaces exposed by DCOM-enabled services.

• Authentication and Authorization Exploitation:

  • Attackers typically require valid credentials or exploit weak authentication mechanisms.

  • Credential harvesting or pass-the-hash attacks often precede DCOM exploitation.

• Native Windows Tools:

  • Built-in Windows utilities such as wmic.exe, powershell.exe, or MMC snap-ins can interact with DCOM interfaces.

  • Attackers may leverage these tools to remotely execute commands or scripts.

• Third-party Frameworks and Tools:

  • Offensive security frameworks like Impacket, Metasploit, and custom PowerShell scripts can automate exploitation of vulnerable DCOM interfaces.

  • Tools such as Invoke-DCOM, SharpDCOM, or custom scripts are commonly used.

Real-world procedures typically involve:

1. Enumerating available DCOM interfaces and services remotely.

2. Identifying vulnerable or misconfigured DCOM endpoints.

3. Acquiring valid credentials or exploiting authentication weaknesses.

4. Executing remote commands or scripts via DCOM interfaces.

5. Establishing persistence or lateral movement across the network.

When this Technique is Usually Used

Attackers commonly utilize DCOM exploitation in various attack scenarios and stages, including:

• Lateral Movement:

  • After initially compromising a system, attackers leverage DCOM to move laterally, pivoting to other internal hosts.

  • DCOM provides stealthy and legitimate-looking remote command execution.

• Persistence and Command Execution:

  • Attackers use DCOM to maintain persistent access by remotely executing commands or scripts periodically.

  • DCOM execution can blend in with normal administrative activities, reducing suspicion.

• Privilege Escalation:

  • Attackers may exploit misconfigured DCOM interfaces that run with elevated privileges, allowing privilege escalation.

  • Misconfigured permissions on DCOM services provide pathways to higher-level access.

• Data Exfiltration and Reconnaissance:

  • Attackers remotely execute commands via DCOM to perform reconnaissance, gather sensitive data, and exfiltrate information.

  • DCOM allows attackers to remotely query system information and enumerate network resources.

How this Technique is Usually Detected

Detection of malicious DCOM activity involves monitoring and analyzing various indicators and behaviors:

• Event Log Monitoring:

  • Windows Security Event Logs (e.g., Event IDs 4624, 4648) indicating unusual or remote logon activity.

  • System logs recording RPC or DCOM-related events (Event IDs 10006, 10009) indicating failed or unauthorized attempts.

• Network Traffic Analysis:

  • Monitoring RPC/DCOM network traffic (TCP port 135 and dynamic RPC ports) for anomalous patterns or unusual connections.

  • Identifying unusual spikes in RPC traffic between unexpected hosts.

• Endpoint Detection and Response (EDR) Tools:

  • Monitoring native Windows utilities (wmic.exe, powershell.exe, MMC) executed remotely or unusually.

  • Behavioral detection rules identifying suspicious DCOM-related command execution.

• SIEM and Behavioral Analytics:

  • Correlation of DCOM-related log events across multiple systems to detect lateral movement attempts.

  • Analysis of user logins and administrative actions performed remotely via DCOM.

• Indicators of Compromise (IoCs):

  • Unusual or unauthorized remote execution of commands via DCOM interfaces.

  • Suspicious PowerShell scripts or binaries leveraging DCOM interfaces.

  • Anomalous RPC/DCOM traffic patterns, such as repeated failed authentication attempts.

Why it is Important to Detect This Technique

Early detection of DCOM exploitation is critical due to its potential impacts on systems and networks:

• Rapid Lateral Movement:

  • DCOM allows attackers to quickly pivot and spread across internal networks, significantly increasing the scope and severity of compromise.

• Stealth and Evasion:

  • Attackers abusing DCOM interfaces often blend into legitimate administrative traffic, making detection challenging.

  • Early detection prevents attackers from establishing persistent footholds and evading detection mechanisms.

• Privilege Escalation and System Compromise:

  • Exploiting misconfigured DCOM services can lead to privilege escalation, allowing attackers to gain administrative-level access.

  • Detecting and mitigating DCOM misuse helps prevent attackers from elevating privileges and compromising critical systems.

• Data Exfiltration and Espionage:

  • Attackers can leverage DCOM to remotely execute commands facilitating data theft and reconnaissance.

  • Early detection reduces potential data loss, intellectual property theft, and espionage activities.

• Operational Impact and Business Continuity:

  • Undetected DCOM exploitation can lead to prolonged attacker persistence, resulting in significant operational disruptions.

  • Timely detection and response minimize downtime, mitigate damage, and reduce remediation costs.

Examples

Real-world examples of attackers leveraging DCOM include:

• APT28 (Fancy Bear):

  • APT28 has historically leveraged legitimate Windows remote execution tools, including DCOM, for lateral movement and persistence.

  • Attackers remotely executed PowerShell scripts via DCOM interfaces to maintain stealthy access and evade detection.

• Cobalt Strike Framework:

  • Offensive security tools like Cobalt Strike include modules and scripts to exploit DCOM interfaces for lateral movement.

  • Attackers using Cobalt Strike commonly leverage DCOM for remote execution and persistence, blending into normal administrative traffic.

• Impacket Framework:

  • Impacket, a popular Python-based offensive toolkit, provides scripts (dcomexec.py) specifically designed to exploit DCOM for remote command execution.

  • Attackers frequently use Impacket scripts during penetration testing and real-world intrusions to move laterally and execute commands remotely.

• FIN7 (Carbanak):

  • FIN7 has utilized DCOM exploitation techniques to remotely execute commands and scripts across compromised networks.

  • Attackers leveraged DCOM to maintain persistence, escalate privileges, and exfiltrate sensitive financial data.

• NotPetya Malware:

  • The NotPetya ransomware/wiper leveraged DCOM and other legitimate Windows mechanisms to spread laterally across networks.

  • This usage amplified the malware's rapid propagation and destructive capabilities, resulting in severe operational disruptions and financial losses.

In these scenarios, attackers leveraged DCOM exploitation to achieve stealthy lateral movement, persistence, privilege escalation, and data theft, underscoring the importance of detecting and mitigating this sub-technique.