Just when you thought PowerShell was already a mighty tool, get ready to be surprised by its ability to delve deep into the system. In this chapter, we’ll explore accessing the system and API by using PowerShell.

We’ll start by looking into the Windows Registry and how you can leverage PowerShell to easily access its keys and values. We’ll then move on to .NET Framework and the Windows API, and you’ll learn how to execute C# code directly from PowerShell.

Next, we’ll explore Windows Management Instrumentation (WMI), which can be used to access and manage a wide range of system resources, including hardware, software, network components, and other objects, through a standard interface. PowerShell makes it easy to interact with WMI and automate tasks and manipulate data.

In this chapter, you will also learn how it is possible to run PowerShell commands without executing powershell.exe. You...

To make the most out of this chapter, ensure that you have the following:

• PowerShell 7.3 and above
• Installed Visual Studio Code
• Installed Visual Studio for your C# code
• C, C++, or C# knowledge and/or the ability to read C code
• Knowledge of how to use compilers, especially C/C++/C#
• Visual Basic knowledge and/or the ability to read Visual Basic code
• Access to Microsoft Excel, or another tool from the Office suite that allows running macros
• Access to the GitHub repository for Chapter05: https://github.com/PacktPublishing/PowerShell-Automation-and-Scripting-for-Cybersecurity/tree/master/Chapter05

The Windows Registry was introduced with Windows 3.1. Although back then, it primarily stored information for the COM-based components, it was developed over the years. Nowadays, it serves as the hierarchical database as we all know it – storing low-level configuration settings for the Windows operating system, as well as for applications running on it.

Although you can access the registry using multiple ways, we will concentrate in this section on how to access and operate the registry using PowerShell.

The Windows Registry of modern systems usually consists of five root keys. Each of them has their own purpose and contains different settings:

• HKEY_CLASSES_ROOT (HKCR): Hives underneath this root key contain information about COM class registration information and file associations.
• HKEY_CURRENT_USER (HKCU): Contains settings that are specific to the user that is currently logged on. Technically, this root key is just...

User rights play a huge role in corporate environments: you can, for example, configure who is allowed to log on to which system and who is allowed to do what. A misconfiguration can cause a serious risk of identity theft and lateral movement.

Adversaries can use it to find out which accounts are worthwhile to compromise to escalate their privileges.

You can find a detailed overview of all user rights in the official documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment.

I know the documentation is quite extensive and if you have no experience on user rights yet, you might quickly get lost. Therefore, let me explain some of the most important security-related user rights that I have often seen misconfigured.

Configuring access user rights

In general, log-on rights are always critical if too many users and or groups are allowed to access a sensitive system. Many default rights are...

The Windows Application Programming Interface (API), also known as Win32 or WinAPI, is a collection of libraries, functions, and interfaces that provide low-level access to various features and components of the Windows operating system. It allows developers direct access to system features and hardware, simplifying access to deeper layers of the operating system. The Windows API functions are written in C/C++ and are exposed by DLL files (such as kernel32.dll or user32.dll).

The Windows API is implemented as a collection of dynamic-link libraries (DLLs) that are loaded into memory when an application needs to use them. These DLLs contain the functions and procedures that make up the API. When an application calls a function from the API, it is essentially sending a message to the operating system to perform a certain task. The operating system then executes the appropriate function from the appropriate DLL and returns the result to the application.

.NET Framework is a software framework developed by Microsoft that provides a wide range of functionalities for building and running applications. It is a default part of every Windows installation since Windows Vista. One of the framework’s key features is the ability to access system and API resources, making it a powerful tool.

.NET Framework consists of two main components:

• Common Language Runtime (CLR):

This is the runtime engine for .NET; it also contains a Just in Time (JIT) compiler, which translates bytecode in Common Intermediate Language (CIL) to the underlying compiler to turn it into machine code that can execute on the specific architecture of the computer it is running on.

The CLR also includes thread management, a garbage collector, type safety, code access security, exception handling, and more.

Every .NET Framework version comes with its own CLR.

• .NET Framework Class Library (FCL):

The FCL is a...

COM is a binary standard for software componentry introduced by Microsoft in 1993, which defines a set of rules for how software components interact with each other and allows inter-process communication. It was developed by Microsoft to address the need for interoperability between applications.

COM is the basis of many other technologies, such as OLE, COM+, DCOM, ActiveX, Windows User Interface, Windows Runtime, and many others. Basically, COM is just middleware that sits between two components and allows them to communicate with each other.

One example of how COM is used can be demonstrated with how Object Linking and Embedding (OLE) works: if you want to include, for example, an Excel table in your PowerPoint presentation. Usually, to allow this, without COM, PowerPoint would need to have the actual code implemented that makes Excel work how it works. But since this would be a waste of resources and redundant...

We already learned in Chapter 3, Exploring PowerShell Remote Management Technologies and PowerShell Remoting, that WMI is Microsoft’s implementation of the CIM, and how to use WMI- or CIM-related PowerShell cmdlets.

In this chapter, we are exploring WMI a little bit further in the system context.

WMI is not a new technology, and WMI attacks are not a new attack vector. WMI only produces a small forensic footprint, runs in memory only, and is a great way to evade whitelisting as well as host-based security tools. Therefore, WMI has been weaponized in attacks in recent years like never before.

In general, applications such as PowerShell, .NET, C/C++, VBScript, and many more can access WMI through the WMI API. The CIM Object Manager (CIMOM) then manages the access between each WMI component. The communication relies on COM/DCOM.

The following figure demonstrates the architecture of WMI:

Figure 5.25 –...

To execute PowerShell commands, you usually first start powershell.exe. But there may be situations where running PowerShell in a traditional manner is not possible or allowed.

In those cases, PowerShell can still be run by using other means, such as through Windows Script Host (WSH), WMI, .NET Framework, or more.

Using “living off the land” binaries to call assembly functions

The term LOLbin is short for living off the land binaries and was coined by malware researchers Christopher Campbell and Matt Graeber at DerbyCon 3 in 2013. In a Twitter discussion on what to call those binaries that can be abused to run malicious code, the term LOLBins came up for the first time and a (highly scientific) Twitter poll made the terms LOLBins and LOLScripts official within the community.

A LOLbin refers to legitimate, pre-installed system binaries or applications that can be abused by attackers to carry out malicious activities...

In this chapter, we explored how PowerShell provides access to various system and API resources such as the Windows Registry, Windows API (including COM and .NET Framework), and WMI. We also learned how to run PowerShell without the use of the powershell.exe executable.

The chapter provided many examples that demonstrated how red teamers or adversaries can exploit these APIs and resources. It was also intended to help blue teamers to gain insights into adversary behavior and learn how to leverage PowerShell to monitor and detect suspicious behavior by leveraging CIM events.

By the end of the chapter, you should have gained a better understanding of how PowerShell can be used to interact with system resources and APIs, as well as how to leverage it for both offensive and defensive purposes.

When we are talking about PowerShell security, authentication and identities play an important role. Let’s have a look at Active Directory security from a PowerShell perspective...

If you want to explore some of the topics that were mentioned in this chapter, follow these resources:

API:

• Low-Level Windows API Access From PowerShell: https://www.fuzzysecurity.com/tutorials/24.html

CIM/WMI:

• Use PowerShell to Manipulate Information with CIM: https://devblogs.microsoft.com/scripting/use-powershell-to-manipulate-information-with-cim/

COM hijacking:

• Demystifying Windows Component Object Model (COM): https://www.221bluestreet.com/offensive-security/windows-components-object-model/demystifying-windows-component-object-model-com
• acCOMplice: https://github.com/nccgroup/acCOMplice
• COM Hijacking Techniques, David Tulis (DerbyCon): https://www.youtube.com/watch?v=pH14BvUiTLY
• OleViewDotNet by James Forshaw: https://github.com/tyranid/oleviewdotnet
• COM Class Objects and CLSIDs: https://learn.microsoft.com/en-us/windows/win32/com/com-class-objects-and-clsids
• Hijacking .NET to Defend PowerShell: https...