Get-BluGenieCOMObjectInfo
Get-BluGenieCOMObjectInfo
SYNOPSIS
Get-BluGenieCOMObjectInfo will query for possible COM Object HiJacking.
SYNTAX
Get-BluGenieCOMObjectInfo [[-FilterType] <String>] [[-Pattern] <String>] [[-COMType] <String>] [[-Algorithm] <String>] [-NotMatch] [-Signature] [-ResolveRegKeyPaths] [-TryToResolvePath] [-Walkthrough]
[-ReturnObject] [-OutUnEscapedJSON] [<CommonParameters>]
DESCRIPTION
Get-BluGenieCOMObjectInfo will query for possible COM Object HiJacking. The process searches for .dll and .exe files that can be HiJacked using the registry CLSID.
EXAMPLES
EXAMPLE 1
Command: Get-BluGenieCOMObjectInfo
Description: Return all COM objects that have a value for InprocServer32 or LocalServer32
Notes: The default Hash Algorithm is (MD5)
EXAMPLE 2
Command: Get-BluGenieCOMObjectInfo -Signature -Algorithm SHA256
Description: Return all COM objects, process Signature Authentication Information and set the Hash Algorithm to (SHA256)
Notes:
EXAMPLE 3
Command: Get-BluGenieCOMObjectInfo -Signature -FilterType Signature_Verified -NotMatch -Pattern '^Signed'
Description: Filter type by (Signature_Verified) with a value not like 'Signed'
Notes:
EXAMPLE 4
Command: Get-BluGenieCOMObjectInfo -Pattern '7-Zip'
Description: Filter type by (Caption) with a value like '7-Zip'
Notes:
EXAMPLE 5
Command: Get-BluGenieCOMObjectInfo -TryToResolvePath
Description: Resolve path for any file not identiifed in the registry. The search path is $env:windir and all sub directories.
Notes:
EXAMPLE 6
Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -ResolveRegKeyPaths
Description: Resolve the root registry key and the parent registry key paths
Notes: This will slow the process down. Most of the time this information is not needed. By default this option is not set
EXAMPLE 7
Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -FilterType OnDisk -NotMatch -Pattern 'True'
Description: Query for any InprocServer32 or LocalServer32 Object references that have not been located on the local system disk.
Notes:
EXAMPLE 8
Command: Get-BluGenieCOMObjectInfo -FilterType ComponentId -Pattern '{581b6888-ba70-3d90-a5f9-865f03d29c6b1}'
Description: Query for a Component ID
Notes:
EXAMPLE 9
Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -FilterType Hash -Pattern '5808c2e483c1e42bdd69d8227e80b96f|7a53101d82f382fcbc883b485b01f4e4|a54e980e453ed712a6ecf639ca70f4db'
Description: RegEx pattern to search for several instances
Notes:
EXAMPLE 10
Command: Get-BluGenieCOMObjectInfo -Help
Description: Call Help Information
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter
EXAMPLE 11
Command: Get-BluGenieCOMObjectInfo -WalkThrough
Description: Call Help Information [2]
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter
EXAMPLE 12
Command: Get-BluGenieCOMObjectInfo -OutUnEscapedJSON
Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 and Return Output as UnEscaped JSON format
Notes: The OutUnEscapedJSON is used to beatify the JSON return and not Escape any Characters. Normal return data is a Hash Table.
EXAMPLE 13
Command: Get-BluGenieCOMObjectInfo -ReturnObject
Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 and Return Output an Object
Notes: The ReturnObject is used to return a PowerShell Object. Normal return data is a Hash Table.
PARAMETERS
FilterType
-FilterType <String>
Description: Filter by Property Type
Notes:
Filter Option = "ComponentId" - Com Object ID
Filter Option = "Caption" - Display name
Filter Option = "KeyRoot" - Parent / Root Registry Key Path
Filter Option = "Type" - Key Type ( InprocServer32 | LocalServer32 )
Filter Option = "KeyPath" - Full Registry Key Path
Filter Option = "KeyValue" - Value from the Full Registry Key Path
Filter Option = "FilePath" - Full Name and Path of the file nested in the Registry Key Value
Filter Option = "Arguments" - Associated Arguments for the command
Filter Option = "Hash" - The Hash value of the Process ( MACTripleDES / MD5 / RIPEMD160 / SHA1 / SHA256 / SHA384 / SHA512 )
Filter Option = "OnDisk" - Is the file located on disk ( True / False )
Filter Option = "Signature_Comment" - Display error message while pulling Signature Information [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_FileVersion" - File Version and OS Build information in part of the OS [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_Description" - The description of the files signature [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_Date" - Date when the file was signed [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_Company" - The company signing the file [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_Publisher" - The Publisher signing the file [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_Verified" - Verification ( Signed / UnSigned / Null ) [Note: This is only available if you use the -Signature switch]
Alias:
ValidateSet: 'Type','ComponentId','Caption','KeyRoot','KeyPath','KeyValue','FilePath','Arguments','OnDisk','Hash','Signature_Comment','Signature_FileVersion','Signature_Description','Signature_Date','Signature
_Company','Signature_Publisher','Signature_Verified'
Required? false
Position? 1
Default value Caption
Accept pipeline input? false
Accept wildcard characters? false
Pattern
-Pattern <String>
Description: Search Pattern using RegEx
Notes: Default Value = '.*'
Alias:
ValidateSet:
Required? false
Position? 2
Default value .*
Accept pipeline input? false
Accept wildcard characters? false
COMType
-COMType <String>
Description: Select which type of COM Object to search for
Notes:
* InprocServer32
* LocalServer32
Alias:
ValidateSet: 'InprocServer32','LocalServer32','All'
Required? false
Position? 3
Default value All
Accept pipeline input? false
Accept wildcard characters? false
Algorithm
-Algorithm <String>
Description: Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file.
Notes: The acceptable values for this parameter are:
- SHA1
- SHA256
- SHA384
- SHA512
- MACTripleDES
- MD5 = (Default)
- RIPEMD160
Alias:
ValidateSet: 'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512'
Required? false
Position? 4
Default value MD5
Accept pipeline input? false
Accept wildcard characters? false
NotMatch
-NotMatch [<SwitchParameter>]
Description: Show only results that do not match the given Pattern
Notes:
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
Signature
-Signature [<SwitchParameter>]
Description: Query Signature information
Notes:
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
ResolveRegKeyPaths
-ResolveRegKeyPaths [<SwitchParameter>]
Description: Identify and resolve the Component ID to the parent registry key.
Notes: This slows down the query process and is disabled by default.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
TryToResolvePath
-TryToResolvePath [<SwitchParameter>]
Description: Query the $env:windir for the file that does not have a defined path in the Registry by default.
Notes: This slows down the query process and is disabled by default.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
Walkthrough
-Walkthrough [<SwitchParameter>]
Description: Start the dynamic help menu system to help walk through the current command and all of the parameters
Notes:
Alias: Help
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
ReturnObject
-ReturnObject [<SwitchParameter>]
Description: Return information as an Object
Notes: By default the data is returned as a Hash Table
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
OutUnEscapedJSON
-OutUnEscapedJSON [<SwitchParameter>]
Description: Remove UnEsacped Char from the JSON information.
Notes: This will beautify json and clean up the formatting.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Last updated