You're reading from PowerShell Automation and Scripting for Cybersecurity Hacking and defense for red and blue teamers

Product type Paperback

Published in Aug 2023

Publisher Packt

ISBN-13 9781800566378

Length 572 pages

Edition 1st Edition

Languages

PowerShell

Tools

PowerShell

Concepts

Cybersecurity

Author (1):

Miriam C. Wiesner

View More author details

Table of Contents (19) Chapters

Preface

1. Part 1: PowerShell Fundamentals

2. Chapter 1: Getting Started with PowerShell FREE CHAPTER

3. Chapter 2: PowerShell Scripting Fundamentals

4. Chapter 3: Exploring PowerShell Remote Management Technologies and PowerShell Remoting

5. Chapter 4: Detection – Auditing and Monitoring

6. Part 2: Digging Deeper – Identities, System Access, and Day-to-Day Security Tasks

7. Chapter 5: PowerShell Is Powerful – System and API Access

8. Chapter 6: Active Directory – Attacks and Mitigation

9. Chapter 7: Hacking the Cloud – Exploiting Azure Active Directory/Entra ID

10. Chapter 8: Red Team Tasks and Cookbook

11. Chapter 9: Blue Team Tasks and Cookbook

12. Part 3: Securing PowerShell – Effective Mitigations In Detail

13. Chapter 10: Language Modes and Just Enough Administration (JEA)

14. Chapter 11: AppLocker, Application Control, and Code Signing

15. Chapter 12: Exploring the Antimalware Scan Interface (AMSI)

16. Chapter 13: What Else? – Further Mitigations and Resources

17. Index

Why subscribe?

18. Other Books You May Enjoy

Common Information Model (CIM)/WMI

We already learned in Chapter 3, Exploring PowerShell Remote Management Technologies and PowerShell Remoting, that WMI is Microsoft’s implementation of the CIM, and how to use WMI- or CIM-related PowerShell cmdlets.

In this chapter, we are exploring WMI a little bit further in the system context.

WMI is not a new technology, and WMI attacks are not a new attack vector. WMI only produces a small forensic footprint, runs in memory only, and is a great way to evade whitelisting as well as host-based security tools. Therefore, WMI has been weaponized in attacks in recent years like never before.

In general, applications such as PowerShell, .NET, C/C++, VBScript, and many more can access WMI through the WMI API. The CIM Object Manager (CIMOM) then manages the access between each WMI component. The communication relies on COM/DCOM.

The following figure demonstrates the architecture of WMI: