/
posh_ps_download_com_cradles.yml
38 lines (38 loc) · 1.42 KB
/
posh_ps_download_com_cradles.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
title: Potential COM Objects Download Cradles Usage - PS Script
id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
related:
- id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
type: similar
status: test
description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
author: frack113
date: 2022/12/25
tags:
- attack.command_and_control
- attack.t1105
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection_1:
ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('
selection_2:
ScriptBlockText|contains:
- '0002DF01-0000-0000-C000-000000000046'
- 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
- 'F5078F35-C551-11D3-89B9-0000F81FE221'
- '88d96a0a-f192-11d4-a65f-0040963251e5'
- 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
- 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
- '88d96a0b-f192-11d4-a65f-0040963251e5'
- '2087c2f4-2cef-4953-a8ab-66779b670495'
- '000209FF-0000-0000-C000-000000000046'
- '00024500-0000-0000-C000-000000000046'
condition: all of selection_*
falsepositives:
- Legitimate use of the library
level: medium