Potential COM Objects Download Cradles Usage - Process Creation

calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
Share on: linkedin copy

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Sigma rule (View on GitHub)

 1title: Potential COM Objects Download Cradles Usage - Process Creation
 2id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
 3related:
 4    - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
 5      type: similar
 6status: test
 7description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
 8references:
 9    - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
10    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
11author: frack113
12date: 2022-12-25
13tags:
14    - attack.command-and-control
15    - attack.t1105
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection_1:
21        CommandLine|contains: '[Type]::GetTypeFromCLSID('
22    selection_2:
23        CommandLine|contains:
24            - '0002DF01-0000-0000-C000-000000000046'
25            - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
26            - 'F5078F35-C551-11D3-89B9-0000F81FE221'
27            - '88d96a0a-f192-11d4-a65f-0040963251e5'
28            - 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
29            - 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
30            - '88d96a0b-f192-11d4-a65f-0040963251e5'
31            - '2087c2f4-2cef-4953-a8ab-66779b670495'
32            - '000209FF-0000-0000-C000-000000000046'
33            - '00024500-0000-0000-C000-000000000046'
34    condition: all of selection_*
35falsepositives:
36    - Legitimate use of the library
37level: medium

References

Related rules

to-top