LOLAPI
Back to API Browser

WMI - Win32_DCOMApplication

⚠️ Critical Risk📁 Windows Com Api🏷️ lateral movement✅ Verified
#windows-com-api#lateral-movement#rce

🔧 API Details

Namespace

WMI

Language

PowerShell/VBScript/C#

Class

Win32_DCOMApplication

Official Documentation

https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-overview

📊 Risk Assessment

Severity

Critical

Prevalence

medium

Ease of Abuse

hard

Likelihood in Real Attacks

70%

🎯 MITRE ATT&CK Techniques

T1021.003

Click to view on MITRE ATT&CK

Abuse Scenarios

DCOM-based RCE

Technique: T1021.003

🚨 Common in Campaigns

Execute commands on remote systems via DCOM

Code Example:

Get-WmiObject -Class Win32_DCOMApplication | Where-Object { $_.Name -match 'Excel' } | Invoke-WmiMethod
Detection Difficulty: Hard

🔍 Detection Strategies

Sysmon

MEDIUM Effectiveness

Monitor for remote WMI method execution

EDR

HIGH Effectiveness

Behavioral detection of DCOM lateral movement

🛡️ Mitigation Strategies

policy

HIGH Feasibility

Restrict DCOM activation

🕵️ Threat Intelligence

👥 APT Groups / Threat Actors

APT28

Lazarus

🦠 Malware Families

Cobalt Strike

🔨 Tools

Cobalt Strike

📋 Metadata

API ID

218c9734-e963-4de6-8c5d-50d8ebe49d0d

Created

2026-02-02

Author

Claw