PowerShell COM Object Execution
powershellcomoffense
How attackers abuse COM objects from PowerShell — Schedule.Service, WScript.Shell, and examples.
PowerShell COM Object Execution
The following writeup is a work in progress and provides insights into how attackers leverage PowerShell to instantiate and manipulate COM objects for malicious purposes.
Keep in mind that PowerShell is only one of many ways to interact with COM objects on Windows systems. Other scripting languages and tools can also be used to achieve similar results.
Schedule.Service
"C:\Windows\system32\cmd.exe" /S /C "powershell -ExecutionPolicy Bypass -Command "& {$ErrorActionPreference = \"Stop\";$scheduler = New-Object -ComObject \"Schedule.Service\";$scheduler.Connect();$task = $scheduler.GetFolder(\"\").GetTask(\"WindhawkRunUITask\");$sec = $task.GetSecurityDescriptor(0xF);$sec = $sec + '(A;;GRGX;;;AU)';$task.SetSecurityDescriptor($sec, 0)}" -FFFeatureOff"WScript.Shell
CreateShortcut
powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $Shortcut = $WScriptShell.CreateShortcut('C:\Users\<USER>\Desktop\Dispatch.lnk'); $Shortcut.TargetPath = 'C:\Users\<USER>\Desktop\\Dispatch.exe'; $Shortcut.WorkingDirectory = 'C:\Users\<USER>\Desktop'; $Shortcut.Save()"