explaingit

synacktiv/dcomillusionist

Analysis updated 2026-05-18

143C#Audience · researcherComplexity · 5/5Setup · hard

TLDR

A Windows security research tool that runs code on a remote machine over DCOM without writing any files to disk.

Mindmap

mindmap
  root((DCOMIllusionist))
    What it does
      Fileless execution
      Remote command run
      DLL load in memory
    Tech stack
      C#
      DCOM
      .NET deserialization
    Use cases
      Penetration testing
      Lateral movement research
      Session hijacking tests
    Audience
      Security researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Demonstrate fileless lateral movement in an authorized penetration test

USE CASE 2

Run a remote command on a target machine via DCOM deserialization

USE CASE 3

Load a DLL directly into memory on a target without touching disk

USE CASE 4

Capture credentials by executing code inside another user's session

What is it built with?

C#.NETDCOM

How does it compare?

synacktiv/dcomillusionistdamianedwards/blazoridentitytyrrrz/osuhelper
Stars143136108
LanguageC#C#C#
Last pushed2022-08-232023-07-16
MaintenanceDormantDormant
Setup difficultyhardmoderateeasy
Complexity5/53/52/5
Audienceresearcherdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires administrative access on both attacker and target Windows machines, and domain-joined hosts for session features.

No license information given in the explanation.

In plain English

DCOMIllusionist is a Windows security research tool from Synacktiv, a penetration testing firm. It demonstrates a technique called "fileless lateral movement", which means running code on a remote Windows machine without writing any files to that machine's disk. This matters in security testing because leaving files behind is what most antivirus and endpoint detection systems look for. A technique that avoids the disk is much harder for defenses to catch. The underlying mechanism relies on DCOM, which stands for Distributed Component Object Model. DCOM is a built-in Windows system that lets programs on one computer trigger code on another computer over a network. In this case, the tool exploits a specific behavior of .NET-based DCOM servers: they automatically process (deserialize) incoming data objects without checking whether the content is safe. By sending a crafted object, the tool can make the target machine execute arbitrary commands, load code from memory, or make authenticated network requests, all without touching the target's file system. Using the tool requires administrative access on both the machine running the attack and the target machine. You point it at a target IP address and choose an action: run a command, load a DLL directly into memory, issue an HTTP request as another user, or list active user sessions on the target. There is also a session flag that lets the tool execute code inside another user's logged-in session, which can be used to capture credentials via standard relay attacks. The technique was originally documented by security researcher James Forshaw as a local privilege escalation path. Synacktiv adapted it for remote use by modifying specific Windows registry keys on the target. The README includes a technical details section with the full explanation of the registry manipulation and DCOM server selection. This tool is intended for authorized penetration testing and security research. It requires domain-joined machines for some of its session-targeting features and network connectivity between the attacker and target hosts.

Copy-paste prompts

Prompt 1
Explain how DCOMIllusionist exploits .NET DCOM server deserialization for fileless code execution.
Prompt 2
Walk me through the registry key changes this tool makes to enable remote DCOM activation.
Prompt 3
How does the session flag let this tool execute code inside another logged-in user's session?
Prompt 4
What administrative privileges and network conditions does this tool require to work?

Frequently asked questions

What is dcomillusionist?

A Windows security research tool that runs code on a remote machine over DCOM without writing any files to disk.

What language is dcomillusionist written in?

Mainly C#. The stack also includes C#, .NET, DCOM.

What license does dcomillusionist use?

No license information given in the explanation.

How hard is dcomillusionist to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is dcomillusionist for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.