{
	"id": "865ce82b-f360-4ace-8aa9-d9c7c51da94b",
	"created_at": "2026-04-06T00:07:26.195504Z",
	"updated_at": "2026-04-10T13:11:27.969096Z",
	"deleted_at": null,
	"sha1_hash": "ab762194311fa3690cb0e378fdcb066c1b4d0bee",
	"title": "Lateral Movement Using Outlook’s CreateObject Method and DotNetToJScript",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 749430,
	"plain_text": "Lateral Movement Using Outlook’s CreateObject Method and\r\nDotNetToJScript\r\nPublished: 2017-11-16 · Archived: 2026-04-05 15:04:01 UTC\r\nIn the past, I have blogged about various methods of lateral movement via the Distributed Component Object\r\nModel (DCOM) in Windows. This typically involves identifying a DCOM application that has an exposed method\r\nallowing for arbitrary code execution. In this example, I’m going to cover Outlook’s CreateObject() method.\r\nIf you aren’t familiar with CreateObject(), it essentially allows you to instantiate an arbitrary COM object. The\r\nissue with abusing DCOM applications for lateral movement is that you are normally at the mercy of the method\r\nbeing used. The majority of the talked about techniques involve abusing a ShellExecute (or similar) method to\r\nstart an arbitrary process or opening a malicious file on the target host, which requires placing a payload on disk\r\n(or a network share). While these techniques work great, they aren’t ideal from a safety perspective.\r\nFor example, the ShellBrowser/ShellBrowserWindow applications only allow you to start a process with\r\nparameters, which makes the technique susceptible to command line logging. What about the Run() methods for\r\nmacro execution? Well, that requires the document with the malicious macro to be local or hosted on a share (not\r\nexactly ideal).\r\nWhat if we could get direct shellcode execution via DCOM and not have to worry about files on the target or\r\narbitrary processes such as powershell or regsvr32? Luckily, Outlook is exposed via DCOM and has us covered.\r\nFirst, we need to instantiate Outlook remotely:\r\n$com = [Type]::GetTypeFromProgID('Outlook.Application’,’192.168.99.152’)\r\n$object = [System.Activator]::CreateInstance($com)\r\nAfter doing so, you will have the CreateObject() method available to you:\r\nhttps://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/\r\nPage 1 of 6\n\nAs discussed above, this method provides the ability to instantiate any COM object on the remote host. How\r\nmight this be abused for shellcode execution? Using the CreateObject method, we can instantiate the\r\nScriptControl COM object, which allows you to execute arbitrary VBScript or JScript via the AddCode() method:\r\n$RemoteScriptControl = $object.CreateObject(“ScriptControl”)\r\nIf we use James Forshaw’s DotNetToJScript technique to deserialize a .NET assembly in VBScript/JScript, we can\r\nachieve shellcode execution via the ScriptControl object by passing the VBScript/JScript code to the AddCode()\r\nmethod. Since the ScriptControl object was instantiated remotely via Outlook’s CreateObject() method, any code\r\npassed will be executed on the remote host. To demonstrate this, I will use a simple assembly that starts calc. The\r\nPoC C# looks something like this:\r\nhttps://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/\r\nPage 2 of 6\n\nNote: Since it is just C#, this can be a full shellcode runner as well 🙂\r\nAfter compiling the “payload”, you can pass it to DotNetToJScript and get back some beautiful JScript/VBScript.\r\nIn this instance, it will be JScript.\r\nhttps://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/\r\nPage 3 of 6\n\nNow that the payload has been generated, it can be passed to the ScriptControl COM object that was created via\r\nOutlook’s CreateObject method on the remote host. This can be accomplished by storing the entire\r\nJScript/VBScript code block into a variable in PowerShell. In this case, I have stored it in a variable called\r\n“$code”:\r\nhttps://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/\r\nPage 4 of 6\n\nFinally, all that needs done is to set the “Language” property on the ScriptControl object to whatever language that\r\nwill be executed (JScript or VBScript) and then call the “AddCode()” method with the “$code” variable as a\r\nparameter:\r\n$RemoteScriptControl.Language = “JScript”\r\n$RemoteScriptControl.AddCode($code)\r\nAfter the “AddCode()” method is invoked, the supplied JScript will execute on the remote host:\r\nAs you can see above, calc.exe has spawned on the remote host.\r\nDetections and Mitigations:\r\nhttps://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/\r\nPage 5 of 6\n\nYou might have noticed in the above screenshot that Outlook.exe spawned as a child of svchost.exe. That is\r\nindicative of Outlook.Application being instantiated via DCOM remotely, so that should stick out. In most cases,\r\nthe process being started will contain “-embedding” in the command line, which is also indicative of remote\r\ninstantiation.\r\nAdditionally, module loads of vbscript.dll or jscript/jscript9.dll should stand out as well. Normally, Outlook does\r\nnot load these and those being loaded would be indicators of the ScriptControl object being used.\r\nIn this example, the payload was running as a child process of Outlook.exe, which would be weird. It is important\r\nto remember that ultimately, a .NET assembly is being executed, meaning that shellcode injection is absolutely\r\ndoable. Instead of simply starting a process, an attacker can write an assembly that injects shellcode into another\r\nprocess, which would bypass the parent-child relationship detection. Ultimately, enabling the Windows Firewall\r\nwill prevent this attack as it stops DCOM usage.\r\n-Matt N\r\nSource: https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/\r\nhttps://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/"
	],
	"report_names": [
		"lateral-movement-using-outlooks-createobject-method-and-dotnettojscript"
	],
	"threat_actors": [],
	"ts_created_at": 1775434046,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab762194311fa3690cb0e378fdcb066c1b4d0bee.pdf",
		"text": "https://archive.orkl.eu/ab762194311fa3690cb0e378fdcb066c1b4d0bee.txt",
		"img": "https://archive.orkl.eu/ab762194311fa3690cb0e378fdcb066c1b4d0bee.jpg"
	}
}