# Get-BluGenieCOMObjectInfo ### Get-BluGenieCOMObjectInfo ### SYNOPSIS Get-BluGenieCOMObjectInfo will query for possible COM Object HiJacking. ### SYNTAX ``` Get-BluGenieCOMObjectInfo [[-FilterType] ] [[-Pattern] ] [[-COMType] ] [[-Algorithm] ] [-NotMatch] [-Signature] [-ResolveRegKeyPaths] [-TryToResolvePath] [-Walkthrough] [-ReturnObject] [-OutUnEscapedJSON] [] ``` ### DESCRIPTION Get-BluGenieCOMObjectInfo will query for possible COM Object HiJacking. The process searches for .dll and .exe files that can be HiJacked using the registry CLSID. ### EXAMPLES #### EXAMPLE 1 ``` Command: Get-BluGenieCOMObjectInfo ``` ``` Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 Notes: The default Hash Algorithm is (MD5) ``` #### EXAMPLE 2 ``` Command: Get-BluGenieCOMObjectInfo -Signature -Algorithm SHA256 ``` ``` Description: Return all COM objects, process Signature Authentication Information and set the Hash Algorithm to (SHA256) Notes: ``` #### EXAMPLE 3 ``` Command: Get-BluGenieCOMObjectInfo -Signature -FilterType Signature_Verified -NotMatch -Pattern '^Signed' ``` ``` Description: Filter type by (Signature_Verified) with a value not like 'Signed' Notes: ``` #### EXAMPLE 4 ``` Command: Get-BluGenieCOMObjectInfo -Pattern '7-Zip' ``` ``` Description: Filter type by (Caption) with a value like '7-Zip' Notes: ``` #### EXAMPLE 5 ``` Command: Get-BluGenieCOMObjectInfo -TryToResolvePath ``` ``` Description: Resolve path for any file not identiifed in the registry. The search path is $env:windir and all sub directories. Notes: ``` #### EXAMPLE 6 ``` Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -ResolveRegKeyPaths ``` ``` Description: Resolve the root registry key and the parent registry key paths Notes: This will slow the process down. Most of the time this information is not needed. By default this option is not set ``` #### EXAMPLE 7 ``` Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -FilterType OnDisk -NotMatch -Pattern 'True' ``` ``` Description: Query for any InprocServer32 or LocalServer32 Object references that have not been located on the local system disk. Notes: ``` #### EXAMPLE 8 ``` Command: Get-BluGenieCOMObjectInfo -FilterType ComponentId -Pattern '{581b6888-ba70-3d90-a5f9-865f03d29c6b1}' ``` ``` Description: Query for a Component ID Notes: ``` #### EXAMPLE 9 ``` Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -FilterType Hash -Pattern '5808c2e483c1e42bdd69d8227e80b96f|7a53101d82f382fcbc883b485b01f4e4|a54e980e453ed712a6ecf639ca70f4db' ``` ``` Description: RegEx pattern to search for several instances Notes: ``` #### EXAMPLE 10 ``` Command: Get-BluGenieCOMObjectInfo -Help ``` ``` Description: Call Help Information Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter ``` #### EXAMPLE 11 ``` Command: Get-BluGenieCOMObjectInfo -WalkThrough ``` ``` Description: Call Help Information [2] Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter ``` #### EXAMPLE 12 ``` Command: Get-BluGenieCOMObjectInfo -OutUnEscapedJSON ``` ``` Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 and Return Output as UnEscaped JSON format Notes: The OutUnEscapedJSON is used to beatify the JSON return and not Escape any Characters. Normal return data is a Hash Table. ``` #### EXAMPLE 13 ``` Command: Get-BluGenieCOMObjectInfo -ReturnObject ``` ``` Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 and Return Output an Object Notes: The ReturnObject is used to return a PowerShell Object. Normal return data is a Hash Table. ``` ### PARAMETERS #### FilterType ``` -FilterType Description: Filter by Property Type Notes: Filter Option = "ComponentId" - Com Object ID Filter Option = "Caption" - Display name Filter Option = "KeyRoot" - Parent / Root Registry Key Path Filter Option = "Type" - Key Type ( InprocServer32 | LocalServer32 ) Filter Option = "KeyPath" - Full Registry Key Path Filter Option = "KeyValue" - Value from the Full Registry Key Path Filter Option = "FilePath" - Full Name and Path of the file nested in the Registry Key Value Filter Option = "Arguments" - Associated Arguments for the command Filter Option = "Hash" - The Hash value of the Process ( MACTripleDES / MD5 / RIPEMD160 / SHA1 / SHA256 / SHA384 / SHA512 ) Filter Option = "OnDisk" - Is the file located on disk ( True / False ) Filter Option = "Signature_Comment" - Display error message while pulling Signature Information [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_FileVersion" - File Version and OS Build information in part of the OS [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_Description" - The description of the files signature [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_Date" - Date when the file was signed [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_Company" - The company signing the file [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_Publisher" - The Publisher signing the file [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_Verified" - Verification ( Signed / UnSigned / Null ) [Note: This is only available if you use the -Signature switch] Alias: ValidateSet: 'Type','ComponentId','Caption','KeyRoot','KeyPath','KeyValue','FilePath','Arguments','OnDisk','Hash','Signature_Comment','Signature_FileVersion','Signature_Description','Signature_Date','Signature _Company','Signature_Publisher','Signature_Verified' Required? false Position? 1 Default value Caption Accept pipeline input? false Accept wildcard characters? false ``` #### Pattern ``` -Pattern Description: Search Pattern using RegEx Notes: Default Value = '.*' Alias: ValidateSet: Required? false Position? 2 Default value .* Accept pipeline input? false Accept wildcard characters? false ``` #### COMType ``` -COMType Description: Select which type of COM Object to search for Notes: * InprocServer32 * LocalServer32 Alias: ValidateSet: 'InprocServer32','LocalServer32','All' Required? false Position? 3 Default value All Accept pipeline input? false Accept wildcard characters? false ``` #### Algorithm ``` -Algorithm Description: Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file. Notes: The acceptable values for this parameter are: - SHA1 - SHA256 - SHA384 - SHA512 - MACTripleDES - MD5 = (Default) - RIPEMD160 Alias: ValidateSet: 'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512' Required? false Position? 4 Default value MD5 Accept pipeline input? false Accept wildcard characters? false ``` #### NotMatch ``` -NotMatch [] Description: Show only results that do not match the given Pattern Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### Signature ``` -Signature [] Description: Query Signature information Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### ResolveRegKeyPaths ``` -ResolveRegKeyPaths [] Description: Identify and resolve the Component ID to the parent registry key. Notes: This slows down the query process and is disabled by default. Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### TryToResolvePath ``` -TryToResolvePath [] Description: Query the $env:windir for the file that does not have a defined path in the Registry by default. Notes: This slows down the query process and is disabled by default. Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### Walkthrough ``` -Walkthrough [] Description: Start the dynamic help menu system to help walk through the current command and all of the parameters Notes: Alias: Help ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### ReturnObject ``` -ReturnObject [] Description: Return information as an Object Notes: By default the data is returned as a Hash Table Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### OutUnEscapedJSON ``` -OutUnEscapedJSON [] Description: Remove UnEsacped Char from the JSON information. Notes: This will beautify json and clean up the formatting. Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### CommonParameters This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about\_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).