Summary#

The following writeup is a work in progress and provides insights into how attackers leverage PowerShell to instantiate and manipulate COM objects for malicious purposes.

Keep in mind that PowerShell is only one of many ways to interact with COM objects on Windows systems. Other scripting languages and tools can also be used to achieve similar results.

Schedule.Service#

"C:\Windows\system32\cmd.exe" /S /C "powershell -ExecutionPolicy Bypass -Command "& {$ErrorActionPreference = \"Stop\";$scheduler = New-Object -ComObject \"Schedule.Service\";$scheduler.Connect();$task = $scheduler.GetFolder(\"\").GetTask(\"WindhawkRunUITask\");$sec = $task.GetSecurityDescriptor(0xF);$sec = $sec + '(A;;GRGX;;;AU)';$task.SetSecurityDescriptor($sec, 0)}" -FFFeatureOff"

WScript.Shell#

CreateShortcut#

powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $Shortcut = $WScriptShell.CreateShortcut('C:\Users\<USER>\Desktop\Dispatch.lnk'); $Shortcut.TargetPath = 'C:\Users\<USER>\Desktop\\Dispatch.exe'; $Shortcut.WorkingDirectory = 'C:\Users\<USER>\Desktop'; $Shortcut.Save()"
TBDWork in ProgressThis section is still being drafted and will be expanded soon.

Related Articles

Other threads in the archive worth reading next.

Field Notes

Invoke-CommandInDesktopPackage Interesting Tidbit

An interesting tidbit about the Invoke-CommandInDesktopPackage PowerShell cmdlet, which allows you to execute commands in the context of an AppX Package, providing access to virtualized resources such as registry keys and files. This can be particularly useful for gaining insights into the behavior of AppX packages and their interactions with the system.

Field Notes

DismHost - Command-Line, COM Registration, and DLL Loading

Notes from reversing DismHost.exe, the out-of-process COM host used by DISM image sessions.

Field Notes

UWP / Packaged Desktop Application Startup Persistence

Detailed writeup on how UWP and Packaged desktop applications can create startup tasks to execute at startup, where the information about these tasks is stored, and how to enumerate them.