Get-BluGenieCOMObjectInfo will query for possible COM Object HiJacking. The process searches for .dll and .exe files that can be HiJacked using the registry CLSID.
EXAMPLES
EXAMPLE 1
Command: Get-BluGenieCOMObjectInfo
Description: Return all COM objects that have a value for InprocServer32 or LocalServer32
Notes: The default Hash Algorithm is (MD5)
EXAMPLE 2
EXAMPLE 3
EXAMPLE 4
EXAMPLE 5
EXAMPLE 6
EXAMPLE 7
EXAMPLE 8
EXAMPLE 9
EXAMPLE 10
EXAMPLE 11
EXAMPLE 12
EXAMPLE 13
PARAMETERS
FilterType
Pattern
COMType
Algorithm
NotMatch
Signature
ResolveRegKeyPaths
TryToResolvePath
Walkthrough
ReturnObject
OutUnEscapedJSON
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Description: Resolve the root registry key and the parent registry key paths
Notes: This will slow the process down. Most of the time this information is not needed. By default this option is not set
Description: RegEx pattern to search for several instances
Notes:
Command: Get-BluGenieCOMObjectInfo -Help
Description: Call Help Information
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter
Command: Get-BluGenieCOMObjectInfo -WalkThrough
Description: Call Help Information [2]
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter
Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 and Return Output as UnEscaped JSON format
Notes: The OutUnEscapedJSON is used to beatify the JSON return and not Escape any Characters. Normal return data is a Hash Table.
Command: Get-BluGenieCOMObjectInfo -ReturnObject
Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 and Return Output an Object
Notes: The ReturnObject is used to return a PowerShell Object. Normal return data is a Hash Table.
-FilterType <String>
Description: Filter by Property Type
Notes:
Filter Option = "ComponentId" - Com Object ID
Filter Option = "Caption" - Display name
Filter Option = "KeyRoot" - Parent / Root Registry Key Path
Filter Option = "Type" - Key Type ( InprocServer32 | LocalServer32 )
Filter Option = "KeyPath" - Full Registry Key Path
Filter Option = "KeyValue" - Value from the Full Registry Key Path
Filter Option = "FilePath" - Full Name and Path of the file nested in the Registry Key Value
Filter Option = "Arguments" - Associated Arguments for the command
Filter Option = "Hash" - The Hash value of the Process ( MACTripleDES / MD5 / RIPEMD160 / SHA1 / SHA256 / SHA384 / SHA512 )
Filter Option = "OnDisk" - Is the file located on disk ( True / False )
Filter Option = "Signature_Comment" - Display error message while pulling Signature Information [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_FileVersion" - File Version and OS Build information in part of the OS [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_Description" - The description of the files signature [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_Date" - Date when the file was signed [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_Company" - The company signing the file [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_Publisher" - The Publisher signing the file [Note: This is only available if you use the -Signature switch]
Filter Option = "Signature_Verified" - Verification ( Signed / UnSigned / Null ) [Note: This is only available if you use the -Signature switch]
Alias:
ValidateSet: 'Type','ComponentId','Caption','KeyRoot','KeyPath','KeyValue','FilePath','Arguments','OnDisk','Hash','Signature_Comment','Signature_FileVersion','Signature_Description','Signature_Date','Signature
_Company','Signature_Publisher','Signature_Verified'
Required? false
Position? 1
Default value Caption
Accept pipeline input? false
Accept wildcard characters? false
-Pattern <String>
Description: Search Pattern using RegEx
Notes: Default Value = '.*'
Alias:
ValidateSet:
Required? false
Position? 2
Default value .*
Accept pipeline input? false
Accept wildcard characters? false
-COMType <String>
Description: Select which type of COM Object to search for
Notes:
* InprocServer32
* LocalServer32
Alias:
ValidateSet: 'InprocServer32','LocalServer32','All'
Required? false
Position? 3
Default value All
Accept pipeline input? false
Accept wildcard characters? false
-Algorithm <String>
Description: Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file.
Notes: The acceptable values for this parameter are:
- SHA1
- SHA256
- SHA384
- SHA512
- MACTripleDES
- MD5 = (Default)
- RIPEMD160
Alias:
ValidateSet: 'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512'
Required? false
Position? 4
Default value MD5
Accept pipeline input? false
Accept wildcard characters? false
-NotMatch [<SwitchParameter>]
Description: Show only results that do not match the given Pattern
Notes:
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Signature [<SwitchParameter>]
Description: Query Signature information
Notes:
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-ResolveRegKeyPaths [<SwitchParameter>]
Description: Identify and resolve the Component ID to the parent registry key.
Notes: This slows down the query process and is disabled by default.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-TryToResolvePath [<SwitchParameter>]
Description: Query the $env:windir for the file that does not have a defined path in the Registry by default.
Notes: This slows down the query process and is disabled by default.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Walkthrough [<SwitchParameter>]
Description: Start the dynamic help menu system to help walk through the current command and all of the parameters
Notes:
Alias: Help
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-ReturnObject [<SwitchParameter>]
Description: Return information as an Object
Notes: By default the data is returned as a Hash Table
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-OutUnEscapedJSON [<SwitchParameter>]
Description: Remove UnEsacped Char from the JSON information.
Notes: This will beautify json and clean up the formatting.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
