rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml

title: Powershell XML Execute Command
id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
status: test
description: |
    Adversaries may abuse PowerShell commands and scripts for execution.
    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
    Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
author: frack113
date: 2022-01-19
modified: 2023-01-19
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_xml:
        ScriptBlockText|contains|all:
            - 'New-Object'
            - 'System.Xml.XmlDocument'
            - '.Load'
    selection_exec:
        ScriptBlockText|contains:
            - 'IEX '
            - 'Invoke-Expression '
            - 'Invoke-Command '
            - 'ICM -'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative script
level: medium
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`title: Powershell XML Execute Command`
			`id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b`
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test` 2023-12-01 12:50:36 +01:00			`status: test`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`description: \|`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`Adversaries may abuse PowerShell commands and scripts for execution.`
			`PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)`
			`Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`references:`
Add missing definition fields and references 2022-07-07 19:13:01 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`author: frack113`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2022-01-19`
			`modified: 2023-01-19`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`tags:`
			`- attack.execution`
			`- attack.t1059.001`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`logsource:`
			`product: windows`
			`category: ps_script`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: Script Block Logging must be enabled'`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`detection:`
			`selection_xml:`
			`ScriptBlockText\|contains\|all:`
feat: updates and enhancements 2023-01-02 14:49:45 +01:00			`- 'New-Object'`
			`- 'System.Xml.XmlDocument'`
			`- '.Load'`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`selection_exec:`
feat: updates and enhancements 2023-01-02 14:49:45 +01:00			`ScriptBlockText\|contains:`
			`- 'IEX '`
			`- 'Invoke-Expression '`
feat: logic update to multiple rules 2023-01-19 16:37:10 +01:00			`- 'Invoke-Command '`
			`- 'ICM -'`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`condition: all of selection_*`
			`falsepositives:`
Add missing definition fields and references 2022-07-07 19:13:01 +01:00			`- Legitimate administrative script`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`level: medium`