network operrator may use this command.

t1059.001
t1546
t1546.015
endpoint
splunk

Techniques

T1059.001
T1546
T1546.015

Sample rules

Powershell Execute COM Object

source: splunk
technicques:
- T1546.015
- T1546
- T1059.001

Description

This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*CreateInstance([type]::GetTypeFromCLSID*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_execute_com_object_filter`