{
	"id": "bc23620b-2651-47b8-8092-c8a809751e95",
	"created_at": "2026-04-06T00:18:20.694324Z",
	"updated_at": "2026-04-10T13:12:40.597585Z",
	"deleted_at": null,
	"sha1_hash": "2041612035fd12771b60cb246fea2a110d425bcb",
	"title": "Lateral Movement using the MMC20.Application COM Object",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 765618,
	"plain_text": "Lateral Movement using the MMC20.Application COM Object\r\nPublished: 2017-01-05 · Archived: 2026-04-05 15:25:18 UTC\r\nFor those of you who conduct pentests or red team assessments, you are probably aware that there are only so\r\nmany ways to pivot, or conduct lateral movement to a Windows system. Some of those techniques include psexec,\r\nWMI, at, Scheduled Tasks, and WinRM (if enabled). Since there are only a handful of techniques, more mature\r\ndefenders are likely able to prepare for and detect attackers using them. Due to this, I set out to find an alternate\r\nway of pivoting to a remote system.\r\nRecently, I have been digging into COM (Component Object Model) internals. My interest in researching new\r\nlateral movement techniques led me to DCOM (Distributed Component Object Model), due to the ability to\r\ninteract with the objects over the network. Microsoft has some good documentation on DCOM here and on COM\r\nhere. You can find a solid list of DCOM applications using PowerShell, by running “ Get-CimInstance\r\nWin32_DCOMApplication ”.\r\nWhile enumerating the different DCOM applications, I came across the MMC Application Class\r\n(MMC20.Application). This COM object allows you to script components of MMC snap-in operations. While\r\nenumerating the different methods and properties within this COM object, I noticed that there is a method named\r\n“ExecuteShellCommand” under Document.ActiveView.\r\nhttps://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\r\nPage 1 of 4\n\nYou can read more on that method here. So far, we have a DCOM application that we can access over the network\r\nand can execute commands. The final piece is to leverage this DCOM application and the ExecuteShellCommand\r\nmethod to obtain code execution on a remote host.\r\nFortunately, as an admin, you can remotely interact with DCOM with PowerShell by using\r\n“ [activator]::CreateInstance([type]::GetTypeFromProgID ”. All you need to do is provide it a DCOM ProgID\r\nand an IP address. It will then provide you back an instance of that COM object remotely:\r\nIt is then possible to invoke the “ExecuteShellCommand” method to start a process on the remote host:\r\nAs you can see, calc.exe is running under Matt while the user “Jason” is logged in:\r\nhttps://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\r\nPage 2 of 4\n\nBy using this DCOM application and the associated method, it is possible to pivot to a remote host without using\r\npsexec, WMI, or other well-known techniques.\r\nTo further demonstrate this, we can use this technique to execute an agent, such as Cobalt Strike’s Beacon, on a\r\nremote host. Since this is a lateral movement technique, it requires administrative privileges on the remote host:\r\nAs you can see, the user “Matt” has local admin rights on “192.168.99.132”. You can then use the\r\nExecuteShellCommand method of MMC20.Application to execute staging code on the remote host. For this\r\nexample, a simple encoded PowerShell download cradle is specified. Be sure to pay attention to the requirements\r\nof “ExecuteShellCommand” as the program and its parameters are separated:\r\nhttps://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\r\nPage 3 of 4\n\nThe result of executing this through an agent results in obtaining access to the remote target:\r\nTo detect/mitigate this, defenders can disable DCOM, block RPC traffic between workstations, and look for a\r\nchild process spawning off of “mmc.exe”.\r\nEdit: After some investigating and back \u0026 forth with James Forshaw, it appears that the Windows Firewall will\r\nblock this technique by default. As an additional mitigation, ensure the windows firewall is enabled and\r\n“Microsoft Management Console” isn’t an enabled rule.\r\nCheers!\r\nMatt N.\r\nSource: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\r\nhttps://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"
	],
	"report_names": [
		"lateral-movement-using-the-mmc20-application-com-object"
	],
	"threat_actors": [],
	"ts_created_at": 1775434700,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2041612035fd12771b60cb246fea2a110d425bcb.pdf",
		"text": "https://archive.orkl.eu/2041612035fd12771b60cb246fea2a110d425bcb.txt",
		"img": "https://archive.orkl.eu/2041612035fd12771b60cb246fea2a110d425bcb.jpg"
	}
}