← Library
splApache-2.0from splunk/security_content

Powershell Execute COM Object

The following analytic detects the execution of a COM CLSID through PowerShell. It leverages EventCode 4104 and searches for specific script block text indicating the creation of a COM object. This activity is significant as it is commonly used by adversaries and malware, such as the Conti ransomware, to execute commands, potentially for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, this technique could allow attackers to gain elevated privileges or persist within the environment, posing a significant security risk.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/powershell_execute_com_object.yml
`powershell` EventCode=4104 ScriptBlockText = "*CreateInstance([type]::GetTypeFromCLSID*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `powershell_execute_com_object_filter`