T1021.003 Distributed Component Object Model Mappings

Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.

The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)

Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)

Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with Windows Management Instrumentation. (Citation: MSDN WMI)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1021.003 Distributed Component Object Model
AC-2 Account Management Protects T1021.003 Distributed Component Object Model
AC-3 Access Enforcement Protects T1021.003 Distributed Component Object Model
AC-4 Information Flow Enforcement Protects T1021.003 Distributed Component Object Model
AC-5 Separation of Duties Protects T1021.003 Distributed Component Object Model
AC-6 Least Privilege Protects T1021.003 Distributed Component Object Model
CM-2 Baseline Configuration Protects T1021.003 Distributed Component Object Model
CM-5 Access Restrictions for Change Protects T1021.003 Distributed Component Object Model
CM-6 Configuration Settings Protects T1021.003 Distributed Component Object Model
CM-7 Least Functionality Protects T1021.003 Distributed Component Object Model
CM-8 System Component Inventory Protects T1021.003 Distributed Component Object Model
IA-2 Identification and Authentication (organizational Users) Protects T1021.003 Distributed Component Object Model
RA-5 Vulnerability Monitoring and Scanning Protects T1021.003 Distributed Component Object Model
SC-18 Mobile Code Protects T1021.003 Distributed Component Object Model
SC-3 Security Function Isolation Protects T1021.003 Distributed Component Object Model
SC-46 Cross Domain Policy Enforcement Protects T1021.003 Distributed Component Object Model
SC-7 Boundary Protection Protects T1021.003 Distributed Component Object Model
SI-3 Malicious Code Protection Protects T1021.003 Distributed Component Object Model
SI-4 System Monitoring Protects T1021.003 Distributed Component Object Model
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1021.003 Remote Services: Distributed Component Object Model
action.hacking.vector.Command shell Remote shell related-to T1021.003 Remote Services: Distributed Component Object Model