Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential COM Objects Download Cradles Usage - PS Script

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Dec 253c7d1587-3b13-439f-9941-7d14313dbdfewindows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Script Block Logging must be enable

Detection Logic
Detection Logic2 selectors
detection:
    selection_1:
        ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('
    selection_2:
        ScriptBlockText|contains:
            - '0002DF01-0000-0000-C000-000000000046'
            - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
            - 'F5078F35-C551-11D3-89B9-0000F81FE221'
            - '88d96a0a-f192-11d4-a65f-0040963251e5'
            - 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
            - 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
            - '88d96a0b-f192-11d4-a65f-0040963251e5'
            - '2087c2f4-2cef-4953-a8ab-66779b670495'
            - '000209FF-0000-0000-C000-000000000046'
            - '00024500-0000-0000-C000-000000000046'
    condition: all of selection_*
False Positives

Legitimate use of the library

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
speakerdeck.com
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

Potential COM Objects Download Cradles Usage - Process Creation

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
3c7d1587-3b13-439f-9941-7d14313dbdfe
Status
test
Level
medium
Type
Detection
Created
Sun Dec 25
Author
François Hubaut
Path
rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml
Raw Tags
attack.command-and-controlattack.t1105
View on GitHub