Techniques
Sample rules
Powershell Execute COM Object
- source: splunk
- technicques:
- T1546.015
- T1546
- T1059.001
Description
This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*CreateInstance([type]::GetTypeFromCLSID*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_execute_com_object_filter`