Skip to content

Latest commit

 

History

History
71 lines (52 loc) · 2.51 KB

README.md

File metadata and controls

71 lines (52 loc) · 2.51 KB

🥷🏻 CLSID-Ninja

CLSID Ninja

📜 Tool Description

Your PowerShell-powered solution for effortless CLSID analysis! Designed for Threat Researchers and Malware Analysts, this tool simplifies the process of extracting and inspecting users' CLSID registry values. Easily identify potential threats and malicious activity by examining COM Objects for compromise or replacement by malware. CLSID Ninja offers a comprehensive view, allowing you to access CLSID lists for both online (Active Users) and offline users by loading UsrClass.DAT files into the HKLM hive. Streamline your analysis with CLSID Ninja today!

📐 Compatibility

Working with EDR's? not a problem!
CLSID Ninja is designed to seamlessly integrate into your workflow:

  • Local Host: CLSID Ninja can be run locally on the host itself.
  • Cortex XDR Live Terminal: Easily execute CLSID Ninja within the Cortex XDR Live Terminal, enhancing your threat analysis capabilities.
  • Falcon Crowdstrike RTR: Extend your threat detection and response capabilities with CLSID Ninja in Falcon Crowdstrike RTR, ensuring effective CLSID analysis directly within the platform.

Tested on: Windows 10, Windows 11.

✏️ How to Run

Show menu of options

.\CLSID-Ninja.ps1 -Search Menu
Click to see screenshot

image


Show all users CLSID

.\CLSID-Ninja.ps1 -Search All
Click to see screenshot

image


Search for specific CLSID on all the users on the host

.\CLSID-Ninja -Search CLSID "{PUT-YOUR-CLSID}"
Example: .\CLSID-Ninja -Search CLSID ""{0003000A-0000-0000-C000-000000000046}"
Click to see screenshot

image

🦅 Example for running tool on Falcon Crowdstrike

Click to see video
The first line of code, is to bypass the execution policy so you can run script on the system.
Set-ExecutionPolicy b p

Example for CS