rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml

title: Powershell MsXml COM Object
id: 78aa1347-1517-4454-9982-b338d6df8343
status: experimental
description: |
  Adversaries may abuse PowerShell commands and scripts for execution.
  PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
  Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
author: frack113, MatilJ
date: 2022/01/19
modified: 2022/05/19
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
    - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
    - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
logsource:
    product: windows
    category: ps_script
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-Object'
            - '-ComObject'
            - 'MsXml2.'
            - 'XmlHttp'
    condition: selection
falsepositives:
  - Legitimate administrative script
level: medium
tags:
  - attack.execution
  - attack.t1059.001
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`title: Powershell MsXml COM Object`
			`id: 78aa1347-1517-4454-9982-b338d6df8343`
			`status: experimental`
			`description: \|`
			`Adversaries may abuse PowerShell commands and scripts for execution.`
			`PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)`
			`Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code`
Fix detection 2022-05-19 21:09:47 +03:00			`author: frack113, MatilJ`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`date: 2022/01/19`
Fix detection 2022-05-19 21:09:47 +03:00			`modified: 2022/05/19`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt`
			`- https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)`
Fix detection 2022-05-19 21:09:47 +03:00			`- https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`logsource:`
			`product: windows`
			`category: ps_script`
			`detection:`
			`selection:`
			`ScriptBlockText\|contains\|all:`
Fix detection 2022-05-19 21:09:47 +03:00			`- 'New-Object'`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`- '-ComObject'`
Fix detection 2022-05-19 21:09:47 +03:00			`- 'MsXml2.'`
			`- 'XmlHttp'`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`condition: selection`
			`falsepositives:`
fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00			`- Legitimate administrative script`
$frack113$ Add Redcannary Windows Rules 2022-01-19 20:40:43 +01:00			`level: medium`
			`tags:`
			`- attack.execution`
			`- attack.t1059.001`