Methods like PsExec, WMI, logging in using Telnet and SSH, etc., tend to stand out to administrators or security personnel who are paying close attention to their systems. Using RPC/DCOM can help you evade notice.

Remote Procedure Call (RPC) enables inter-process communication between local and remote processes on Windows. Distributed Component Object Model (DCOM) enables communication between software components over a network. DCOM applications use RPC as a transport mechanism for client requests. Flaws in DCOM can enable you to execute code on a remote system by assuming user privileges.

For example, a DCOM application commonly used to initiate lateral movement is MMC20.Application. This enables users to execute Microsoft Management Console (MMC) snap-in operations on a Windows computer. The MMC20.Application application includes an ExecuteShellCommand() method that does exactly what its name implies. You can leverage this method by creating an instance of a DCOM object using PowerShell:

$obj = [activator]::CreateInstance ([type]::GetTypeFromProgID ("MMC20.Application","192.168.1.50"))

Note that the first argument in GetTypeFromProgID() refers to the DCOM application mentioned before, and the second argument is the IP address of the remote machine you want to move to. You can then invoke the ExecuteShellCommand() method on the object you created:

$obj.Document.ActiveView.ExecuteShellCommand ("C:\Windows\system32\calc.exe",$null,$null,"7")

The first argument is the app or command that will start—in this case, the Calculator app. The second argument specifies the current working directory, and the third specifies any parameters to add to the command. In this case, none are needed, so they're set to null. The last parameter specifies the state of the window. Ultimately, this will launch the Calculator app on the remote computer under a local administrator account.

You can, of course, do much more than just launch a simple app. The point of lateral movement is to "own" the next host you move to, so you can compromise it in many different ways. There are also other DCOM applications and methods you can use to move laterally. However, DCOM is blocked by default on modern Windows Defender firewalls, so you shouldn't expect this to work with any regularity.