rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml

title: Powershell MsXml COM Object
id: 78aa1347-1517-4454-9982-b338d6df8343
status: test
description: |
    Adversaries may abuse PowerShell commands and scripts for execution.
    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
    Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
    - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
author: frack113, MatilJ
date: 2022-01-19
modified: 2022-05-19
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-Object'
            - '-ComObject'
            - 'MsXml2.'
            - 'XmlHttp'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`title: Powershell MsXml COM Object`
			`id: 78aa1347-1517-4454-9982-b338d6df8343`
$frack113$ Merge PR #4479 From @frack113 - Upgrade Rules Status 2023-10-17 14:35:26 +02:00			`status: test`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`description: \|`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`Adversaries may abuse PowerShell commands and scripts for execution.`
			`PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)`
			`Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`references:`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt`
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS 2024-07-02 06:00:11 -04:00			`- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)`
Fix detection 2022-05-19 21:09:47 +03:00			`- https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`author: frack113, MatilJ`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2022-01-19`
			`modified: 2022-05-19`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`tags:`
			`- attack.execution`
			`- attack.t1059.001`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`logsource:`
			`product: windows`
			`category: ps_script`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: Script Block Logging must be enabled'`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`detection:`
			`selection:`
			`ScriptBlockText\|contains\|all:`
Fix detection 2022-05-19 21:09:47 +03:00			`- 'New-Object'`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`- '-ComObject'`
Fix detection 2022-05-19 21:09:47 +03:00			`- 'MsXml2.'`
			`- 'XmlHttp'`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`condition: selection`
			`falsepositives:`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`- Legitimate administrative script`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`level: medium`