Detection rules › Sigma
Potential COM Objects Download Cradles Usage - PS Script
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1105 Ingress Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PowerShell | 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Stages and Predicates
Stage 1: all of selection_1
ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('
Stage 2: all of selection_2
or:
ScriptBlockText|contains: '000209FF-0000-0000-C000-000000000046'
ScriptBlockText|contains: '00024500-0000-0000-C000-000000000046'
ScriptBlockText|contains: '0002DF01-0000-0000-C000-000000000046'
ScriptBlockText|contains: '2087c2f4-2cef-4953-a8ab-66779b670495'
ScriptBlockText|contains: '88d96a0a-f192-11d4-a65f-0040963251e5'
ScriptBlockText|contains: '88d96a0b-f192-11d4-a65f-0040963251e5'
ScriptBlockText|contains: 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
ScriptBlockText|contains: 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
ScriptBlockText|contains: 'F5078F35-C551-11D3-89B9-0000F81FE221'
ScriptBlockText|contains: 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ScriptBlockText | match |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Potential PowerShell Obfuscation via Invalid Escape Sequences (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Character Array Reconstruction (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via High Numeric Character Proportion (drops 1 filter this rule applies)
- Potential Dynamic IEX Reconstruction via Environment Variables (drops 1 filter this rule applies)
- Dynamic IEX Reconstruction via Method String Access (drops 1 filter this rule applies)
- PowerShell Obfuscation via Negative Index String Reversal (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Reverse Keywords (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via String Concatenation (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via String Reordering (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Special Character Overuse (drops 1 filter this rule applies)