LoFP / network operrator may use this command.

Techniques

• T1059.001
• T1546
• T1546.015

Sample rules

Powershell Execute COM Object

• source: splunk
• technicques:
  • T1546.015
  • T1546
  • T1059.001

Description

The following analytic detects the execution of a COM CLSID through PowerShell. It leverages EventCode 4104 and searches for specific script block text indicating the creation of a COM object. This activity is significant as it is commonly used by adversaries and malware, such as the Conti ransomware, to execute commands, potentially for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, this technique could allow attackers to gain elevated privileges or persist within the environment, posing a significant security risk.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*CreateInstance([type]::GetTypeFromCLSID*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_execute_com_object_filter`