hunting-for-dcom-lateral-movement▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, ShellBrowserWindow, and ShellWindows COM objects through Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) correlation, WMI event analysis, RPC endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships.
| name | hunting-for-dcom-lateral-movement |
| description | 'Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, ShellBrowserWindow, and ShellWindows COM objects through Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) correlation, WMI event analysis, RPC endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships. ' |
| domain | cybersecurity |
| subdomain | threat-hunting |
| tags | - threat-hunting - DCOM - lateral-movement - T1021.003 - Sysmon - MMC20 - ShellWindows - ShellBrowserWindow - COM-objects - WMI - RPC |
| version | '1.0' |
| author | mukul975 |
| license | Apache-2.0 |
| d3fend_techniques | - Application Protocol Command Analysis - Network Isolation - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation |
| nist_csf | - DE.CM-01 - DE.AE-02 - DE.AE-07 - ID.RA-05 |
Hunting for DCOM Lateral Movement
Authorized Testing Disclaimer: The offensive techniques and attack simulations described in this skill are intended exclusively for authorized penetration testing, red team engagements, purple team exercises, and security research conducted with explicit written permission from the system owner. Unauthorized use of these techniques against systems you do not own or have permission to test is illegal and unethical. Always operate within the scope of your engagement and comply with applicable laws and regulations.
Overview
Distributed Component Object Model (DCOM) enables remote execution of COM objects across a network using RPC. Adversaries abuse specific DCOM objects -- MMC20.Application (CLSID {49B2791A-B1AE-4C90-9B8E-E860BA07F889}), ShellBrowserWindow (CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880}), and ShellWindows (CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39}) -- to execute commands on remote hosts without dropping files, making this a stealthy lateral movement technique mapped to MITRE ATT&CK T1021.003. This skill provides detection strategies using Sysmon telemetry, Windows Security Event correlation, network monitoring, and SIEM detection rules to identify DCOM abuse in enterprise environments.
When to Use
- Proactively hunting for lateral movement in Active Directory environments where DCOM is enabled
- Investigating alerts for suspicious mmc.exe, dllhost.exe, or explorer.exe child process creation on servers
- Building detection rules for MITRE ATT&CK T1021.003 (Remote Services: Distributed Component Object Model)
- Correlating Sysmon Event ID 1 (Process Create) and Event ID 3 (Network Connection) to trace DCOM-based command execution chains
- Auditing DCOM exposure across the domain to reduce lateral movement attack surface
- During purple team exercises validating detection coverage for DCOM-based techniques
Do not use as a replacement for EDR-based lateral movement detection, without Sysmon or equivalent process telemetry deployed on endpoints, or in isolation without correlating network-level and host-level indicators.
Prerequisites
- Sysmon deployed on endpoints with configuration capturing Event ID 1 (Process Create), Event ID 3 (Network Connection), Event ID 7 (Image Loaded), and Event ID 10 (Process Access)
- Windows Security Event Logs forwarded to SIEM (Event IDs 4624, 4672, 4688)
- SIEM platform (Splunk, Elastic, Microsoft Sentinel) with correlation capability
- Network monitoring for RPC traffic (TCP 135 and dynamic high ports 49152-65535)
- Baseline inventory of legitimate DCOM usage in the environment
- Understanding of MITRE ATT&CK Lateral Movement tactic (TA0008) and T1021.003
Workflow
Step 1: Understand DCOM Lateral Movement Attack Vectors
DCOM lateral movement exploits three primary COM objects. Each has distinct forensic artifacts.
MMC20.Application -- The attacker instantiates the MMC snap-in remotely and calls ExecuteShellCommand to run arbitrary commands on the target. This spawns mmc.exe as a child of svchost.exe (DcomLaunch service) on the target.
ShellBrowserWindow -- Uses the Document.Application.ShellExecute method to execute commands through an existing explorer.exe process. Unlike MMC20, this does not create a new process for the COM server itself, making it stealthier.
ShellWindows -- Similar to ShellBrowserWindow, it activates within an existing explorer.exe instance and executes child processes from explorer.exe. The absence of a new COM server process makes it harder to detect without proper telemetry.
# ATTACK SIMULATION (authorized testing only)
# These commands demonstrate what adversaries execute -- use only in lab environments
# MMC20.Application lateral movement
# $dcom = [System.Activator]::CreateInstance(
# [Type]::GetTypeFromProgID("MMC20.Application", "TARGET_IP"))
# $dcom.Document.ActiveView.ExecuteShellCommand(
# "cmd.exe", $null, "/c whoami > C:\temp\output.txt", "7")
# ShellWindows lateral movement
# $dcom = [System.Activator]::CreateInstance(
# [Type]::GetTypeFromCLSID(
# [guid]"9BA05972-F6A8-11CF-A442-00A0C90A8F39", "TARGET_IP"))
# $dcom.item().Document.Application.ShellExecute(
# "cmd.exe", "/c calc.exe", "C:\windows\system32", $null, 0)
# ShellBrowserWindow lateral movement
# $dcom = [System.Activator]::CreateInstance(
# [Type]::GetTypeFromCLSID(
# [guid]"C08AFD90-F2A1-11D1-8455-00A0C91F3880", "TARGET_IP"))
# $dcom.Document.Application.ShellExecute(
# "cmd.exe", "/c net user", "C:\windows\system32", $null, 0)
Step 2: Configure Sysmon for DCOM Detection
<!-- Sysmon configuration excerpt for DCOM lateral movement detection -->
<!-- Add these rules to your existing Sysmon config -->
<Sysmon schemaversion="4.90">
<EventFiltering>
<!-- Event ID 1: Process Creation - Detect DCOM-spawned processes -->
<RuleGroup name="DCOM_ProcessCreate" groupRelation="or">
<ProcessCreate onmatch="include">
<!-- MMC20.Application: mmc.exe spawning child processes -->
<ParentImage condition="end with">mmc.exe</ParentImage>
<!-- DcomLaunch service spawning COM servers -->
<ParentCommandLine condition="contains">DcomLaunch</ParentCommandLine>
<!-- dllhost.exe spawning suspicious children -->
<ParentImage condition="end with">dllhost.exe</ParentImage>
<!-- explorer.exe spawning cmd/powershell (ShellWindows/ShellBrowserWindow) -->
<Rule groupRelation="and">
<ParentImage condition="end with">explorer.exe</ParentImage>
<Image condition="end with">cmd.exe</Image>
</Rule>
<Rule groupRelation="and">
<ParentImage condition="end with">explorer.exe</ParentImage>
<Image condition="end with">powershell.exe</Image>
</Rule>
</ProcessCreate>
</RuleGroup>
<!-- Event ID 3: Network Connection - Track DCOM RPC connections -->
<RuleGroup name="DCOM_NetworkConnect" groupRelation="or">
<NetworkConnect onmatch="include">
<!-- RPC Endpoint Mapper -->
<DestinationPort condition="is">135</DestinationPort>
<!-- DCOM processes making network connections -->
<Image condition="end with">mmc.exe</Image>
<Image condition="end with">dllhost.exe</Image>
<!-- svchost.exe DcomLaunch connections -->
<Rule groupRelation="and">
<Image condition="end with">svchost.exe</Image>
<DestinationPort condition="more than">49151</DestinationPort>
</Rule>
</NetworkConnect>
</RuleGroup>
<!-- Event ID 7: Image Loaded - DCOM-related DLLs -->
<RuleGroup name="DCOM_ImageLoaded" groupRelation="or">
<ImageLoad onmatch="include">
<ImageLoaded condition="end with">comsvcs.dll</ImageLoaded>
<ImageLoaded condition="end with">ole32.dll</ImageLoaded>
<ImageLoaded condition="end with">rpcrt4.dll</ImageLoaded>
</ImageLoad>
</RuleGroup>
</EventFiltering>
</Sysmon>
# Deploy or update Sysmon configuration
# sysmon64.exe -c dcom-detection-sysmon.xml
# Verify Sysmon is capturing DCOM events
# PowerShell: Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10 |
# Where-Object { $_.Id -in @(1,3) } | Format-Table TimeCreated, Id, Message -Wrap
Step 3: Build SIEM Detection Rules for DCOM Object Abuse
# Sigma Rule: MMC20.Application DCOM Lateral Movement
title: DCOM Lateral Movement via MMC20.Application
id: 8a3b5f2e-c1d4-4a9f-b237-1e6f8d2c3a4b
status: stable
description: >
Detects remote instantiation of MMC20.Application DCOM object by monitoring
for mmc.exe spawned by svchost.exe DcomLaunch service with subsequent child
process creation, indicating T1021.003 lateral movement.
references:
- https://attack.mitre.org/techniques/T1021/003/
- https://www.cybereason.com/blog/dcom-lateral-movement-techniques
- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-2-dcom/
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\mmc.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\regsvr32.exe'
filter_legitimate:
ParentCommandLine|contains:
- 'devmgmt.msc'
- 'diskmgmt.msc'
- 'services.msc'
- 'compmgmt.msc'
condition: selection_parent and selection_child and not filter_legitimate
level: high
tags:
- attack.lateral_movement
- attack.t1021.003
falsepositives:
- Legitimate remote MMC administration by authorized IT staff
- SCCM or other management tools using DCOM for remote management
# Sigma Rule: ShellWindows/ShellBrowserWindow DCOM Lateral Movement
title: DCOM Lateral Movement via ShellWindows or ShellBrowserWindow
id: 2f7c9d1e-a8b3-4c5f-9012-3e4d5f6a7b8c
status: stable
description: >
Detects DCOM lateral movement using ShellWindows (CLSID 9BA05972) or
ShellBrowserWindow (CLSID C08AFD90) by monitoring for explorer.exe spawning
cmd.exe or powershell.exe on systems where no user is interactively logged on,
or where the network logon (Type 3) precedes the process creation.
references:
- https://attack.mitre.org/techniques/T1021/003/
- https://www.elastic.co/guide/en/security/8.19/incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows.html
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\mshta.exe'
- '\wscript.exe'
- '\cscript.exe'
filter_interactive:
LogonId: '0x3e7'
condition: selection and not filter_interactive
level: medium
tags:
- attack.lateral_movement
- attack.t1021.003
falsepositives:
- Users launching command prompts from Explorer context menus
- Software installers launching child processes from explorer.exe
# Sigma Rule: Sysmon Network Connection to RPC Endpoint Mapper from DCOM Process
title: DCOM Process Inbound RPC Connection Followed by Process Creation
id: 4d9e2f1a-b3c5-4a7f-8901-2c3d4e5f6a7b
status: experimental
description: >
Correlates Sysmon Event ID 3 (Network Connection) on port 135 with
subsequent Event ID 1 (Process Create) from DCOM parent processes
(mmc.exe, dllhost.exe, explorer.exe) within a short time window.
logsource:
product: windows
service: sysmon
detection:
network_connection:
EventID: 3
DestinationPort: 135
Initiated: 'false'
process_creation:
EventID: 1
ParentImage|endswith:
- '\mmc.exe'
- '\dllhost.exe'
- '\svchost.exe'
timeframe: 30s
condition: network_connection | near process_creation
level: high
tags:
- attack.lateral_movement
- attack.t1021.003
Step 4: Deploy Splunk and KQL Detection Queries
# Splunk: Detect MMC20.Application DCOM Lateral Movement
# Correlates network logon (4624 Type 3) with mmc.exe process creation
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=1 ParentImage="*\\mmc.exe"
(Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe")
| eval target_host=ComputerName
| join target_host type=inner
[search index=wineventlog EventCode=4624 LogonType=3
| where AuthenticationPackageName="NTLM" OR AuthenticationPackageName="Kerberos"
| eval target_host=ComputerName
| rename IpAddress as source_ip, TargetUserName as logon_user
| fields target_host source_ip logon_user _time]
| where abs(_time - relative_time(now(), "-5m")) < 300
| table _time target_host Image ParentImage CommandLine source_ip logon_user
| sort -_time
# Splunk: Detect ShellWindows/ShellBrowserWindow DCOM Lateral Movement
# Identifies explorer.exe spawning suspicious child processes on servers
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=1 ParentImage="*\\explorer.exe"
(Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
| eval target_host=ComputerName
| join target_host type=inner
[search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=3 DestinationPort=135 Initiated="false"
| eval target_host=ComputerName
| rename SourceIp as dcom_source_ip
| fields target_host dcom_source_ip _time]
| where abs(_time - relative_time(now(), "-2m")) < 120
| stats count values(Image) as child_processes values(CommandLine) as commands
by target_host dcom_source_ip
| where count > 0
| table target_host dcom_source_ip child_processes commands count
# Splunk: DCOM RPC Endpoint Mapper Connection Anomaly
# Identifies hosts receiving unusual volumes of inbound RPC connections
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=3 DestinationPort=135 Initiated="false"
| stats dc(SourceIp) as unique_sources count by ComputerName
| where unique_sources > 3 OR count > 10
| sort -unique_sources
| table ComputerName unique_sources count
-- Microsoft Sentinel KQL: DCOM Lateral Movement via MMC20.Application
let dcom_network = SysmonEvent
| where EventID == 3
| where DestinationPort == 135
| where InitiatedConnection == false
| project NetworkTime=TimeGenerated, TargetComputer=Computer,
SourceIP=SourceIp, DestPort=DestinationPort;
let dcom_process = SysmonEvent
| where EventID == 1
| where ParentImage endswith "\\mmc.exe"
or ParentImage endswith "\\dllhost.exe"
| where Image endswith "\\cmd.exe"
or Image endswith "\\powershell.exe"
or Image endswith "\\pwsh.exe"
or Image endswith "\\wscript.exe"
or Image endswith "\\mshta.exe"
| project ProcessTime=TimeGenerated, TargetComputer=Computer,
ParentImage, Image, CommandLine, User;
dcom_network
| join kind=inner (dcom_process) on TargetComputer
| where abs(datetime_diff('second', NetworkTime, ProcessTime)) < 60
| project NetworkTime, ProcessTime, TargetComputer, SourceIP,
ParentImage, Image, CommandLine, User
| sort by NetworkTime desc
-- Microsoft Sentinel KQL: ShellWindows DCOM Lateral Movement
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName in ("NTLM", "Kerberos")
| project LogonTime=TimeGenerated, TargetComputer=Computer,
SourceIP=IpAddress, LogonUser=TargetUserName
| join kind=inner (
SysmonEvent
| where EventID == 1
| where ParentImage endswith "\\explorer.exe"
| where Image endswith "\\cmd.exe"
or Image endswith "\\powershell.exe"
or Image endswith "\\pwsh.exe"
| project ProcessTime=TimeGenerated, TargetComputer=Computer,
Image, CommandLine, User
) on TargetComputer
| where ProcessTime between (LogonTime .. (LogonTime + 2m))
| project LogonTime, ProcessTime, TargetComputer, SourceIP,
LogonUser, Image, CommandLine
| sort by LogonTime desc
Step 5: WMI Event Correlation for DCOM Activity
# Splunk: Correlate WMI events with DCOM lateral movement
# WMI-Activity operational log captures DCOM-triggered WMI calls
index=wineventlog source="WinEventLog:Microsoft-Windows-WMI-Activity/Operational"
| where EventCode IN (5857, 5858, 5859, 5860, 5861)
| eval event_type=case(
EventCode=5857, "WMI Provider Loaded",
EventCode=5858, "WMI Query Error",
EventCode=5859, "WMI Provider Event",
EventCode=5860, "WMI Temporary Event Registration",
EventCode=5861, "WMI Permanent Event Registration")
| stats count values(event_type) as wmi_events by ComputerName
| where count > 5
| table ComputerName wmi_events count
# PowerShell: Query WMI operational log for DCOM-related activity
# Run on target systems during investigation
Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational" -MaxEvents 500 |
Where-Object {
$_.Id -in @(5857, 5858, 5860, 5861) -and
$_.Message -match "DCOM|MMC20|ShellWindows|ShellBrowserWindow"
} |
Select-Object TimeCreated, Id,
@{N='Detail'; E={$_.Message.Substring(0, [Math]::Min(200, $_.Message.Length))}} |
Format-Table -AutoSize
# Query Sysmon for DCOM parent-child process chains
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -FilterXPath @"
*[System[(EventID=1)]] and
*[EventData[
(Data[@Name='ParentImage'] and
(contains(Data[@Name='ParentImage'],'mmc.exe') or
contains(Data[@Name='ParentImage'],'dllhost.exe')))
]]
"@ -MaxEvents 100 |
Select-Object TimeCreated,
@{N='ParentImage'; E={$_.Properties[20].Value}},
@{N='Image'; E={$_.Properties[4].Value}},
@{N='CommandLine'; E={$_.Properties[10].Value}},
@{N='User'; E={$_.Properties[12].Value}} |
Format-Table -AutoSize
Step 6: Network-Level DCOM Detection with Zeek
# Zeek script for detecting DCOM lateral movement at the network level
# Monitors RPC Endpoint Mapper (port 135) and subsequent high-port connections
cat > /opt/zeek/share/zeek/site/custom-detections/dcom-lateral-movement.zeek << 'ZEEKEOF'
@load base/frameworks/notice
@load base/frameworks/sumstats
@load base/protocols/dce-rpc
module DCOMLateralMovement;
export {
redef enum Notice::Type += {
DCOM_Lateral_Movement_Suspected,
DCOM_RPC_Scan
};
# Threshold for unique targets receiving RPC connections from single source
const rpc_target_threshold: count = 3 &redef;
const rpc_time_window: interval = 10min &redef;
}
event zeek_init()
{
local r1 = SumStats::Reducer(
$stream="dcom.rpc_targets",
$apply=set(SumStats::UNIQUE)
);
SumStats::create([
$name="detect-dcom-lateral",
$epoch=rpc_time_window,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) = {
return result["dcom.rpc_targets"]$unique + 0.0;
},
$threshold=rpc_target_threshold + 0.0,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) = {
NOTICE([
$note=DCOM_RPC_Scan,
$msg=fmt("Host %s connected to %d hosts on RPC/135 in %s - possible DCOM lateral movement",
key$str, result["dcom.rpc_targets"]$unique, rpc_time_window),
$identifier=key$str
]);
}
]);
}
event connection_state_remove(c: connection)
{
if ( c$id$resp_p == 135/tcp && c$id$resp_h in Site::local_nets )
{
SumStats::observe("dcom.rpc_targets",
[$str=cat(c$id$orig_h)],
[$str=cat(c$id$resp_h)]
);
}
}
ZEEKEOF
# Monitor DCE-RPC operations related to DCOM objects
cat /opt/zeek/logs/current/dce_rpc.log | \
zeek-cut ts id.orig_h id.resp_h endpoint operation | \
grep -iE "IDispatch|IRemoteActivation|IRemUnknown|IObjectExporter" | \
sort -t$'\t' -k2 | uniq -c | sort -rn
# Track RPC endpoint mapper connections between internal hosts
cat /opt/zeek/logs/current/conn.log | \
zeek-cut ts id.orig_h id.resp_h id.resp_p duration | \
awk '$4 == 135' | \
awk '{print $2, "->", $3}' | sort | uniq -c | sort -rn | head -20
Step 7: DCOM Attack Surface Audit and Hardening
# Audit DCOM configuration across the domain
# Enumerate remotely accessible DCOM objects
# List DCOM applications registered on local system
Get-CimInstance -ClassName Win32_DCOMApplication |
Select-Object AppID, Name |
Sort-Object Name |
Format-Table -AutoSize
# Check DCOM launch permissions for high-risk objects
$clsids = @{
"MMC20.Application" = "{49B2791A-B1AE-4C90-9B8E-E860BA07F889}"
"ShellWindows" = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
"ShellBrowserWindow" = "{C08AFD90-F2A1-11D1-8455-00A0C91F3880}"
"Excel.Application" = "{00024500-0000-0000-C000-000000000046}"
"Outlook.Application" = "{0006F03A-0000-0000-C000-000000000046}"
}
foreach ($name in $clsids.Keys) {
$clsid = $clsids[$name]
$regPath = "HKLM:\SOFTWARE\Classes\CLSID\$clsid"
if (Test-Path $regPath) {
$launchPermission = (Get-ItemProperty -Path "$regPath" -Name "LaunchPermission" -ErrorAction SilentlyContinue)
Write-Host "[*] $name ($clsid): $(if ($launchPermission) { 'Custom permissions set' } else { 'DEFAULT permissions (potentially exploitable)' })"
} else {
Write-Host "[-] $name ($clsid): Not found on this system"
}
}
# Check if DCOM is enabled (should be restricted on servers that don't need it)
$dcomEnabled = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Ole" -Name "EnableDCOM").EnableDCOM
Write-Host "`n[*] DCOM Enabled: $dcomEnabled"
# Check remote launch and activation permissions
$remoteLaunch = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Ole" -Name "DefaultLaunchPermission" -ErrorAction SilentlyContinue)
Write-Host "[*] Default Launch Permission: $(if ($remoteLaunch) { 'Custom' } else { 'System Default' })"
# Hardening: Restrict DCOM remote access via Group Policy
# These settings should be applied via GPO in production
# Disable DCOM on systems that do not require it
# Computer Configuration > Administrative Templates > System > Distributed COM >
# Application Compatibility > Enable Distributed COM on this computer = Disabled
# Restrict DCOM launch permissions via registry
# Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Ole" -Name "EnableDCOM" -Value "N"
# Block RPC/DCOM at the host firewall for non-admin traffic
# New-NetFirewallRule -DisplayName "Block Inbound DCOM/RPC" `
# -Direction Inbound -LocalPort 135 -Protocol TCP `
# -Action Block -RemoteAddress "Any" `
# -Group "DCOM Hardening"
#
# New-NetFirewallRule -DisplayName "Allow DCOM from Admin Subnets" `
# -Direction Inbound -LocalPort 135 -Protocol TCP `
# -Action Allow -RemoteAddress "10.10.0.0/24" `
# -Group "DCOM Hardening"
# Windows Firewall: Restrict dynamic RPC port range
# netsh int ipv4 set dynamicport tcp start=49152 num=1024
Key Concepts
| Term | Definition |
|---|---|
| DCOM (T1021.003) | Distributed Component Object Model -- extends COM to allow remote object instantiation and method invocation over RPC, abused for lateral movement |
| MMC20.Application | COM object (CLSID {49B2791A-B1AE-4C90-9B8E-E860BA07F889}) controlling MMC snap-ins; ExecuteShellCommand method enables remote command execution |
| ShellWindows | COM object (CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39}) that activates within an existing explorer.exe process, executing commands without creating a new COM server process |
| ShellBrowserWindow | COM object (CLSID {C08AFD90-F2A1-11D1-8455-00A0C91 |
How to use hunting-for-dcom-lateral-movement on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add hunting-for-dcom-lateral-movement
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches hunting-for-dcom-lateral-movement from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate hunting-for-dcom-lateral-movement. Access the skill through slash commands (e.g., /hunting-for-dcom-lateral-movement) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.5★★★★★27 reviews- ★★★★★Ganesh Mohane· Dec 24, 2024
hunting-for-dcom-lateral-movement is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Omar Haddad· Dec 20, 2024
I recommend hunting-for-dcom-lateral-movement for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Lucas Chawla· Dec 8, 2024
Keeps context tight: hunting-for-dcom-lateral-movement is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Emma Kapoor· Nov 27, 2024
hunting-for-dcom-lateral-movement is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Sakshi Patil· Nov 15, 2024
Keeps context tight: hunting-for-dcom-lateral-movement is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★James Choi· Nov 11, 2024
hunting-for-dcom-lateral-movement fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★William Verma· Oct 18, 2024
Useful defaults in hunting-for-dcom-lateral-movement — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Chaitanya Patil· Oct 6, 2024
hunting-for-dcom-lateral-movement has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Isabella Haddad· Oct 2, 2024
Registry listing for hunting-for-dcom-lateral-movement matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Dev Iyer· Sep 25, 2024
I recommend hunting-for-dcom-lateral-movement for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
showing 1-10 of 27