Manual
  • BluSapphire Manuals
  • BluSapphire
    • Detections
      • Creating "Detections" Using BluSapphire Portal
    • Roles & Permissions
    • Knowledge Base
  • BluGenie
    • Full Function List
      • Add-BluGenieFirewallRule
      • Clear-BlugenieMemory
      • Connect-BluGenieToSystem
      • Convert-BluGenieSID2UserName
      • Convert-BluGenieSize
      • Convert-BluGenieUserName2SID
      • Convert-BluGenieUTCtoLocal
      • ConvertFrom-Yaml
      • ConvertTo-BluGenieDate
      • ConvertTo-Yaml
      • Disable-BluGenieAllFirewallRules
      • Disable-BluGenieFirewallRule
      • Enable-BluGenieAllFirewallRules
      • Enable-BluGenieFirewallRule
      • Enable-BluGenieWinRMoverWMI
      • Expand-BluGenieArchivePS2
      • Format-BluGenieEvent
      • Get-BluGenieADGroupMembers
      • Get-BluGenieADGroups
      • Get-BluGenieADMachineInfo
      • Get-BluGenieAuditProcessTracking
      • Get-BluGenieAutoRuns
      • Get-BluGenieChildItemList
      • Get-BluGenieCOMObjectInfo
      • Get-BluGenieCurrentSessionAliases
      • Get-BluGenieCurrentSessionFunctions
      • Get-BluGenieCurrentSessionVariables
      • Get-BluGenieErrorAction
      • Get-BluGenieFileADS
      • Get-BluGenieFilePermissions
      • Get-BluGenieFileSnapshot
      • Get-BluGenieFileStreams
      • Get-BluGenieFirewallRules
      • Get-BluGenieHashInfo
      • Get-BluGenieHelp
      • Get-BluGenieHostingVersion
      • Get-BluGenieIPrange
      • Get-BluGenieLiteralPath
      • Get-BluGenieLoadedRegHives
      • Get-BluGenieLockingProcess
      • Get-BluGenieMRUActivityView
      • Get-BluGenieProcessList
      • Get-BluGenieRegistry
      • Get-BluGenieRegistryProcessTracking
      • Get-BluGenieRegSnapshot
      • Get-BluGenieRunSpaceSessionAliases
      • Get-BluGenieRunSpaceSessionFunctions
      • Get-BluGenieRunSpaceSessionVariables
      • Get-BluGenieSchTaskInfo
      • Get-BluGenieScriptDirectory
      • Get-BluGenieServiceList
      • Get-BluGenieServiceStatus
      • Get-BluGenieSessionAliasList
      • Get-BluGenieSessionFunctionList
      • Get-BluGenieSessionVariableList
      • Get-BluGenieSettings
      • Get-BluGenieSignature
      • Get-BluGenieSystemInfo
      • Get-BluGenieToolsDirectory
      • Get-BluGenieTranscriptsDir
      • Get-BluGenieTranscriptsFile
      • Get-BluGenieTrapData
      • Get-BluGenieWindowsTitle
      • Get-BluGenieWindowsUpdates
      • Install-BluGenieHarvester
      • Install-BluGenieSysMon
      • Invoke-BluGenieAnalyzer
      • Invoke-BluGenieFileBrowser
      • Invoke-BluGenieLoadAllProfileHives
      • Invoke-BluGenieNetStat
      • Invoke-BluGenieParallel
      • Invoke-BluGenieProcess
      • Invoke-BluGenieProcessHash
      • Invoke-BluGeniePSQuery
      • Invoke-BluGeniePython
      • Invoke-BluGenieSQLLQuery
      • Invoke-BluGenieThreadLock
      • Invoke-BluGenieUnLoadAllProfileHives
      • Invoke-BluGenieWalkThrough
      • Invoke-BluGenieWipe
      • Invoke-BluGenieYara
      • Invoke-PSipcalc
      • Invoke-PSnmap
      • Invoke-SQLiteBulkCopy
      • Invoke-SqliteQuery
      • Invoke-WalkThrough
      • Join-BluGenieObjects
      • New-BluGenieCommand
      • New-BluGenieHelpMenu
      • New-BluGenieService
      • New-BluGenieSessionInfo
      • New-BluGenieTimeStamp
      • New-BluGenieUID
      • New-SQLiteConnection
      • Open-BluGenieLog
      • Open-BluGenieLogDir
      • Open-BluGenieScriptDir
      • Open-BluGenieToolDir
      • Open-BluGenieTransDir
      • Out-DataTable
      • Publish-BluGenieArtifact
      • Publish-BluGenieFirewallRules
      • Remove-BluGenieFile
      • Remove-BluGenieFirewallRule
      • Remove-BluGenieModule
      • Remove-BluGenieService
      • Resolve-BluGenieDnsName
      • Send-BluGenieItem
      • Set-BluGenieAuditProcessPol
      • Set-BluGenieCommands
      • Set-BluGenieCores
      • Set-BluGenieDebugger
      • Set-BluGenieFirewallGPOStatus
      • Set-BluGenieFirewallStatus
      • Set-BluGenieJobId
      • Set-BluGenieJobMemory
      • Set-BluGenieJobTimeout
      • Set-BluGenieNoBanner
      • Set-BluGenieNoExit
      • Set-BluGenieNoSetRes
      • Set-BluGenieParallelCommands
      • Set-BluGeniePostCommands
      • Set-BluGeniePrefetch
      • Set-BluGenieProcessCPUAffinity
      • Set-BluGenieProcessPriority
      • Set-BluGenieRange
      • Set-BluGenieRemoteDesktopProcess
      • Set-BluGenieScriptCredentials
      • Set-BluGenieServiceJob
      • Set-BluGenieSessionInfo
      • Set-BluGenieSettingsPriority
      • Set-BluGenieSystems
      • Set-BluGenieThreadCount
      • Set-BluGenieTrapping
      • Set-BluGenieUpdateMods
      • Set-BluGenieVerbose
      • Show-BluGenieGUI
      • Show-BluGenieMore
      • Start-BluGenieNewProcess
      • Start-BluGenieRunSpace
      • Stop-BluGenieService
      • Test-BluGenieIsFileLocked
      • Test-BluGenieIsMutexAvailable
      • Trace-BluGenieFireWallStatus
      • Update-BluGenieFirewallProfileStatus
      • Update-BluGenieSysinternals
      • Update-Sqlite
      • Write BluGenieVerboseMsg
    • Functions by Category
      • Discovery
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • ActiveDirectory
      • Execution
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • Tools
      • Support
    • Artifacts
      • Example Template
      • Tactical Artifacts by Category
        • Combination Query
          • Query Autorun locations for any item nested that is not digitally signed
        • EventLog Query
          • Query for Process execution from unusual directories
          • Query suspicious programs processed by the Task Scheduler using the Event Log
          • Query for unusual instances of rundll32.exe via the Event Log
          • Query for Unusual Instances of rundll32.exe making outbound network connections using SysMon Data
          • Query Suspicious Powershell Command Line Executions
          • Query the Windows System Log for 104, 517, 1102
        • File and Folder Query
          • Query for malicious file types in all users and system temp directories
          • Query Malicious file types from any directory not including the default OS and Install directories
          • Query all users for their Powershell Profile content for Powershell, Powershell_ISE, and VS Code
          • Query to Determine if any lolbin files are installed outside the normal OS and Program Files dir's
        • Network Query
          • Query for Unusual Windows Network Activity
        • Process Query
          • Query for all Processes not running from the Windows and Program Files.* Directories
        • Registry Query
          • Query Information from the Registry on Recentdocs, Recentapps
          • Query Registry for a list of mounted USB storage devices, including external memory cards
          • Query the Most Recently Used items from the Registry
          • Query the Most Recently Open and Saved File information from the Registry
          • Query all Run, RunOnce, and RunOnceEx Registry Keys
          • Query Command list from the MRU Registry List
          • Query Startup Services from the Registry
          • Query Map Network Drives from the Registry
          • Query Shell Folders and User Shell Folders from both the HKLM and HKU Registry Information
          • Query Typed Urls from the Registry
          • Query Current Control Set Services information from the Registry
          • Query Accessibility Features from Image File Execution Options from the Registry
          • Query the Registry for Commands that are automatically executed each time cmd.exe is run
          • Query the Registry for Mounted Device information
          • Query the Registry for Browser Helper Objects (BHO)
          • Query the Registry for Explore Run commands
          • Query the Registry for Winlogon Helper Dll's
          • Query the Registry for Active Setup information
          • Query the Registry for Bypassing UAC Mechanisms from the User-Accessible information
          • Query the Registry for User-Logon, and Startup Scripts
          • Query the Registry for the most common MRU information for All User Hives, including offline users
          • Query the Registry for any user, using the SysInternals Tools
Powered by GitBook
On this page
  • Get-BluGenieCOMObjectInfo
  • SYNOPSIS
  • SYNTAX
  • DESCRIPTION
  • EXAMPLES
  • PARAMETERS
  1. BluGenie
  2. Full Function List

Get-BluGenieCOMObjectInfo



Get-BluGenieCOMObjectInfo

SYNOPSIS

Get-BluGenieCOMObjectInfo will query for possible COM Object HiJacking.

SYNTAX

Get-BluGenieCOMObjectInfo [[-FilterType] <String>] [[-Pattern] <String>] [[-COMType] <String>] [[-Algorithm] <String>] [-NotMatch] [-Signature] [-ResolveRegKeyPaths] [-TryToResolvePath] [-Walkthrough] 
[-ReturnObject] [-OutUnEscapedJSON] [<CommonParameters>]

DESCRIPTION

Get-BluGenieCOMObjectInfo will query for possible COM Object HiJacking. The process searches for .dll and .exe files that can be HiJacked using the registry CLSID.

EXAMPLES

EXAMPLE 1

Command: Get-BluGenieCOMObjectInfo
Description: Return all COM objects that have a value for InprocServer32 or LocalServer32
Notes: The default Hash Algorithm is (MD5)

EXAMPLE 2

Command: Get-BluGenieCOMObjectInfo -Signature  -Algorithm SHA256
Description: Return all COM objects, process Signature Authentication Information and set the Hash Algorithm to (SHA256)
Notes:

EXAMPLE 3

Command: Get-BluGenieCOMObjectInfo -Signature -FilterType Signature_Verified -NotMatch -Pattern '^Signed'
Description: Filter type by (Signature_Verified) with a value not like 'Signed'
Notes:

EXAMPLE 4

Command: Get-BluGenieCOMObjectInfo -Pattern '7-Zip'
Description: Filter type by (Caption) with a value like '7-Zip'
Notes:

EXAMPLE 5

Command: Get-BluGenieCOMObjectInfo -TryToResolvePath
Description: Resolve path for any file not identiifed in the registry.  The search path is $env:windir and all sub directories.
Notes:

EXAMPLE 6

Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -ResolveRegKeyPaths
Description: Resolve the root registry key and the parent registry key paths
Notes: This will slow the process down.  Most of the time this information is not needed.  By default this option is not set

EXAMPLE 7

Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -FilterType OnDisk -NotMatch -Pattern 'True'
Description: Query for any InprocServer32 or LocalServer32 Object references that have not been located on the local system disk.
Notes:

EXAMPLE 8

Command: Get-BluGenieCOMObjectInfo -FilterType ComponentId -Pattern '{581b6888-ba70-3d90-a5f9-865f03d29c6b1}'
Description: Query for a Component ID
Notes:

EXAMPLE 9

Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -FilterType Hash -Pattern '5808c2e483c1e42bdd69d8227e80b96f|7a53101d82f382fcbc883b485b01f4e4|a54e980e453ed712a6ecf639ca70f4db'
Description: RegEx pattern to search for several instances
Notes:

EXAMPLE 10

Command: Get-BluGenieCOMObjectInfo -Help
Description: Call Help Information
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter

EXAMPLE 11

Command: Get-BluGenieCOMObjectInfo -WalkThrough
Description: Call Help Information [2]
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter

EXAMPLE 12

Command: Get-BluGenieCOMObjectInfo -OutUnEscapedJSON
Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 and Return Output as UnEscaped JSON format
Notes:  The OutUnEscapedJSON is used to beatify the JSON return and not Escape any Characters.  Normal return data is a Hash Table.

EXAMPLE 13

Command: Get-BluGenieCOMObjectInfo -ReturnObject
Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 and Return Output an Object
Notes:  The ReturnObject is used to return a PowerShell Object.  Normal return data is a Hash Table.

PARAMETERS

FilterType

-FilterType <String>
   Description: Filter by Property Type 
   Notes:  
   Filter Option = "ComponentId"			-   Com Object ID
           Filter Option = "Caption"				-   Display name
           Filter Option = "KeyRoot"				-   Parent / Root Registry Key Path
           Filter Option = "Type"					-   Key Type ( InprocServer32 | LocalServer32 )
           Filter Option = "KeyPath"				-   Full Registry Key Path
           Filter Option = "KeyValue"				-   Value from the Full Registry Key Path
           Filter Option = "FilePath"				-   Full Name and Path of the file nested in the Registry Key Value
           Filter Option = "Arguments"				-   Associated Arguments for the command
           Filter Option = "Hash"					-   The Hash value of the Process ( MACTripleDES / MD5 / RIPEMD160 / SHA1 / SHA256 / SHA384 / SHA512 ) 
           Filter Option = "OnDisk"				-   Is the file located on disk ( True / False )
           Filter Option = "Signature_Comment"		-   Display error message while pulling Signature Information [Note:  This is only available if you use the -Signature switch]
           Filter Option = "Signature_FileVersion" -   File Version and OS Build information in part of the OS [Note:  This is only available if you use the -Signature switch]
           Filter Option = "Signature_Description" -   The description of the files signature [Note:  This is only available if you use the -Signature switch]
           Filter Option = "Signature_Date"		-   Date when the file was signed [Note:  This is only available if you use the -Signature switch]
           Filter Option = "Signature_Company"		-   The company signing the file [Note:  This is only available if you use the -Signature switch]
           Filter Option = "Signature_Publisher"	-   The Publisher signing the file [Note:  This is only available if you use the -Signature switch]
           Filter Option = "Signature_Verified"	-   Verification ( Signed / UnSigned / Null ) [Note:  This is only available if you use the -Signature switch]
   Alias:
   ValidateSet: 'Type','ComponentId','Caption','KeyRoot','KeyPath','KeyValue','FilePath','Arguments','OnDisk','Hash','Signature_Comment','Signature_FileVersion','Signature_Description','Signature_Date','Signature
   _Company','Signature_Publisher','Signature_Verified'
   
   Required?                    false
   Position?                    1
   Default value                Caption
   Accept pipeline input?       false
   Accept wildcard characters?  false

Pattern

-Pattern <String>
   Description: Search Pattern using RegEx 
   Notes: Default Value = '.*' 
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    2
   Default value                .*
   Accept pipeline input?       false
   Accept wildcard characters?  false

COMType

-COMType <String>
   Description: Select which type of COM Object to search for
   Notes: 
   * InprocServer32
           * LocalServer32
   Alias:
   ValidateSet: 'InprocServer32','LocalServer32','All'
   
   Required?                    false
   Position?                    3
   Default value                All
   Accept pipeline input?       false
   Accept wildcard characters?  false

Algorithm

-Algorithm <String>
   Description:  Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file. 
   Notes:  The acceptable values for this parameter are:
   
               - SHA1
               - SHA256
               - SHA384
               - SHA512
               - MACTripleDES
               - MD5 = (Default)
               - RIPEMD160
   Alias: 
   ValidateSet: 'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512'
   
   Required?                    false
   Position?                    4
   Default value                MD5
   Accept pipeline input?       false
   Accept wildcard characters?  false

NotMatch

-NotMatch [<SwitchParameter>]
   Description: Show only results that do not match the given Pattern 
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

Signature

-Signature [<SwitchParameter>]
   Description: Query Signature information 
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

ResolveRegKeyPaths

-ResolveRegKeyPaths [<SwitchParameter>]
   Description: Identify and resolve the Component ID to the parent registry key. 
   Notes: This slows down the query process and is disabled by default. 
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

TryToResolvePath

-TryToResolvePath [<SwitchParameter>]
   Description: Query the $env:windir for the file that does not have a defined path in the Registry by default. 
   Notes: This slows down the query process and is disabled by default.
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

Walkthrough

-Walkthrough [<SwitchParameter>]
   Description:  Start the dynamic help menu system to help walk through the current command and all of the parameters
   Notes:  
   Alias: Help
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

ReturnObject

-ReturnObject [<SwitchParameter>]
   Description: Return information as an Object
   Notes: By default the data is returned as a Hash Table
   Alias: 
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

OutUnEscapedJSON

-OutUnEscapedJSON [<SwitchParameter>]
   Description: Remove UnEsacped Char from the JSON information.
   Notes: This will beautify json and clean up the formatting.
   Alias: 
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

CommonParameters

PreviousGet-BluGenieChildItemListNextGet-BluGenieCurrentSessionAliases

Last updated 3 years ago

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see .

about_CommonParameters