# Get-BluGenieCOMObjectInfo ### Get-BluGenieCOMObjectInfo ### SYNOPSIS Get-BluGenieCOMObjectInfo will query for possible COM Object HiJacking. ### SYNTAX ``` Get-BluGenieCOMObjectInfo [[-FilterType] ] [[-Pattern] ] [[-COMType] ] [[-Algorithm] ] [-NotMatch] [-Signature] [-ResolveRegKeyPaths] [-TryToResolvePath] [-Walkthrough] [-ReturnObject] [-OutUnEscapedJSON] [] ``` ### DESCRIPTION Get-BluGenieCOMObjectInfo will query for possible COM Object HiJacking. The process searches for .dll and .exe files that can be HiJacked using the registry CLSID. ### EXAMPLES #### EXAMPLE 1 ``` Command: Get-BluGenieCOMObjectInfo ``` ``` Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 Notes: The default Hash Algorithm is (MD5) ``` #### EXAMPLE 2 ``` Command: Get-BluGenieCOMObjectInfo -Signature -Algorithm SHA256 ``` ``` Description: Return all COM objects, process Signature Authentication Information and set the Hash Algorithm to (SHA256) Notes: ``` #### EXAMPLE 3 ``` Command: Get-BluGenieCOMObjectInfo -Signature -FilterType Signature_Verified -NotMatch -Pattern '^Signed' ``` ``` Description: Filter type by (Signature_Verified) with a value not like 'Signed' Notes: ``` #### EXAMPLE 4 ``` Command: Get-BluGenieCOMObjectInfo -Pattern '7-Zip' ``` ``` Description: Filter type by (Caption) with a value like '7-Zip' Notes: ``` #### EXAMPLE 5 ``` Command: Get-BluGenieCOMObjectInfo -TryToResolvePath ``` ``` Description: Resolve path for any file not identiifed in the registry. The search path is $env:windir and all sub directories. Notes: ``` #### EXAMPLE 6 ``` Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -ResolveRegKeyPaths ``` ``` Description: Resolve the root registry key and the parent registry key paths Notes: This will slow the process down. Most of the time this information is not needed. By default this option is not set ``` #### EXAMPLE 7 ``` Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -FilterType OnDisk -NotMatch -Pattern 'True' ``` ``` Description: Query for any InprocServer32 or LocalServer32 Object references that have not been located on the local system disk. Notes: ``` #### EXAMPLE 8 ``` Command: Get-BluGenieCOMObjectInfo -FilterType ComponentId -Pattern '{581b6888-ba70-3d90-a5f9-865f03d29c6b1}' ``` ``` Description: Query for a Component ID Notes: ``` #### EXAMPLE 9 ``` Command: Get-BluGenieCOMObjectInfo -TryToResolvePath -FilterType Hash -Pattern '5808c2e483c1e42bdd69d8227e80b96f|7a53101d82f382fcbc883b485b01f4e4|a54e980e453ed712a6ecf639ca70f4db' ``` ``` Description: RegEx pattern to search for several instances Notes: ``` #### EXAMPLE 10 ``` Command: Get-BluGenieCOMObjectInfo -Help ``` ``` Description: Call Help Information Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter ``` #### EXAMPLE 11 ``` Command: Get-BluGenieCOMObjectInfo -WalkThrough ``` ``` Description: Call Help Information [2] Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter ``` #### EXAMPLE 12 ``` Command: Get-BluGenieCOMObjectInfo -OutUnEscapedJSON ``` ``` Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 and Return Output as UnEscaped JSON format Notes: The OutUnEscapedJSON is used to beatify the JSON return and not Escape any Characters. Normal return data is a Hash Table. ``` #### EXAMPLE 13 ``` Command: Get-BluGenieCOMObjectInfo -ReturnObject ``` ``` Description: Return all COM objects that have a value for InprocServer32 or LocalServer32 and Return Output an Object Notes: The ReturnObject is used to return a PowerShell Object. Normal return data is a Hash Table. ``` ### PARAMETERS #### FilterType ``` -FilterType Description: Filter by Property Type Notes: Filter Option = "ComponentId" - Com Object ID Filter Option = "Caption" - Display name Filter Option = "KeyRoot" - Parent / Root Registry Key Path Filter Option = "Type" - Key Type ( InprocServer32 | LocalServer32 ) Filter Option = "KeyPath" - Full Registry Key Path Filter Option = "KeyValue" - Value from the Full Registry Key Path Filter Option = "FilePath" - Full Name and Path of the file nested in the Registry Key Value Filter Option = "Arguments" - Associated Arguments for the command Filter Option = "Hash" - The Hash value of the Process ( MACTripleDES / MD5 / RIPEMD160 / SHA1 / SHA256 / SHA384 / SHA512 ) Filter Option = "OnDisk" - Is the file located on disk ( True / False ) Filter Option = "Signature_Comment" - Display error message while pulling Signature Information [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_FileVersion" - File Version and OS Build information in part of the OS [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_Description" - The description of the files signature [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_Date" - Date when the file was signed [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_Company" - The company signing the file [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_Publisher" - The Publisher signing the file [Note: This is only available if you use the -Signature switch] Filter Option = "Signature_Verified" - Verification ( Signed / UnSigned / Null ) [Note: This is only available if you use the -Signature switch] Alias: ValidateSet: 'Type','ComponentId','Caption','KeyRoot','KeyPath','KeyValue','FilePath','Arguments','OnDisk','Hash','Signature_Comment','Signature_FileVersion','Signature_Description','Signature_Date','Signature _Company','Signature_Publisher','Signature_Verified' Required? false Position? 1 Default value Caption Accept pipeline input? false Accept wildcard characters? false ``` #### Pattern ``` -Pattern Description: Search Pattern using RegEx Notes: Default Value = '.*' Alias: ValidateSet: Required? false Position? 2 Default value .* Accept pipeline input? false Accept wildcard characters? false ``` #### COMType ``` -COMType Description: Select which type of COM Object to search for Notes: * InprocServer32 * LocalServer32 Alias: ValidateSet: 'InprocServer32','LocalServer32','All' Required? false Position? 3 Default value All Accept pipeline input? false Accept wildcard characters? false ``` #### Algorithm ``` -Algorithm Description: Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file. Notes: The acceptable values for this parameter are: - SHA1 - SHA256 - SHA384 - SHA512 - MACTripleDES - MD5 = (Default) - RIPEMD160 Alias: ValidateSet: 'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512' Required? false Position? 4 Default value MD5 Accept pipeline input? false Accept wildcard characters? false ``` #### NotMatch ``` -NotMatch [] Description: Show only results that do not match the given Pattern Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### Signature ``` -Signature [] Description: Query Signature information Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### ResolveRegKeyPaths ``` -ResolveRegKeyPaths [] Description: Identify and resolve the Component ID to the parent registry key. Notes: This slows down the query process and is disabled by default. Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### TryToResolvePath ``` -TryToResolvePath [] Description: Query the $env:windir for the file that does not have a defined path in the Registry by default. Notes: This slows down the query process and is disabled by default. Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### Walkthrough ``` -Walkthrough [] Description: Start the dynamic help menu system to help walk through the current command and all of the parameters Notes: Alias: Help ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### ReturnObject ``` -ReturnObject [] Description: Return information as an Object Notes: By default the data is returned as a Hash Table Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### OutUnEscapedJSON ``` -OutUnEscapedJSON [] Description: Remove UnEsacped Char from the JSON information. Notes: This will beautify json and clean up the formatting. Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### CommonParameters This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about\_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manuals.blusapphire.io/blugenie/full-function-list/get-blugeniecomobjectinfo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.