CertifiedDCOM: The Privilege Escalation Journey to Domain Admin with DCOM

DCOM (Distributed COM) allows remote activation of COM objects and can be exploited for privilege escalation to Domain Admin

The CodeGet instance from iStorage API is vulnerable to DCOM activation abuse, allowing attackers to trigger high-privileged COM servers

Active Directory’s default configuration allows all domain users and computers to send certificate signing requests and validate certificates

ADCS (Active Directory Certificate Services) has special COM security configurations that make it vulnerable to attacks:

• Authenticated users have remote activation privileges by default
• ADCS machine accounts are used for network authentication
• No authentication exists in the HTTP layer

Two main attack paths were demonstrated:

• NTLM relay to ADCS HTTP endpoints
• Kerberos reflection/relay attacks using ADCS machine accounts

Key mitigations include:

• Updating ADCS and installing security patches
• Enabling EPA (Extended Protection for Authentication)
• Implementing LDAP signing and channel binding
• Enabling DCOM authentication hardening
• Updating COM security configurations

RPC supports multiple transport protocols (TCP, UDP, SMB, HTTP) which can be leveraged for attacks

DCOM communication uses RPC over TCP/IP between machines, with authentication occurring at the RPC layer

The vulnerability allows attackers to:

• Relay authentication to other services
• Execute commands via WMI on domain controllers
• Obtain domain admin privileges
• Perform resource-based delegation attacks

Windows default COM security is strict but can be bypassed through misconfigured services and custom configurations