synacktiv/dcomillusionist — explained in plain English
Analysis updated 2026-05-18
Demonstrate fileless lateral movement in an authorized penetration test
Run a remote command on a target machine via DCOM deserialization
Load a DLL directly into memory on a target without touching disk
Capture credentials by executing code inside another user's session
| synacktiv/dcomillusionist | damianedwards/blazoridentity | tyrrrz/osuhelper | |
|---|---|---|---|
| Stars | 143 | 136 | 108 |
| Language | C# | C# | C# |
| Last pushed | — | 2022-08-23 | 2023-07-16 |
| Maintenance | — | Dormant | Dormant |
| Setup difficulty | hard | moderate | easy |
| Complexity | 5/5 | 3/5 | 2/5 |
| Audience | researcher | developer | general |
Figures from each repo's GitHub metadata at analysis time.
Requires administrative access on both attacker and target Windows machines, and domain-joined hosts for session features.
DCOMIllusionist is a Windows security research tool from Synacktiv, a penetration testing firm. It demonstrates a technique called "fileless lateral movement", which means running code on a remote Windows machine without writing any files to that machine's disk. This matters in security testing because leaving files behind is what most antivirus and endpoint detection systems look for. A technique that avoids the disk is much harder for defenses to catch. The underlying mechanism relies on DCOM, which stands for Distributed Component Object Model. DCOM is a built-in Windows system that lets programs on one computer trigger code on another computer over a network. In this case, the tool exploits a specific behavior of .NET-based DCOM servers: they automatically process (deserialize) incoming data objects without checking whether the content is safe. By sending a crafted object, the tool can make the target machine execute arbitrary commands, load code from memory, or make authenticated network requests, all without touching the target's file system. Using the tool requires administrative access on both the machine running the attack and the target machine. You point it at a target IP address and choose an action: run a command, load a DLL directly into memory, issue an HTTP request as another user, or list active user sessions on the target. There is also a session flag that lets the tool execute code inside another user's logged-in session, which can be used to capture credentials via standard relay attacks. The technique was originally documented by security researcher James Forshaw as a local privilege escalation path. Synacktiv adapted it for remote use by modifying specific Windows registry keys on the target. The README includes a technical details section with the full explanation of the registry manipulation and DCOM server selection. This tool is intended for authorized penetration testing and security research. It requires domain-joined machines for some of its session-targeting features and network connectivity between the attacker and target hosts.
A Windows security research tool that runs code on a remote machine over DCOM without writing any files to disk.
Mainly C#. The stack also includes C#, .NET, DCOM.
No license information given in the explanation.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.