security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ced93a8d170e80984da789df820e07104f2df9bf
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
T
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00

36 lines
1.3 KiB
YAML
Raw Blame History

title: Powershell XML Execute Command
id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
author: frack113
date: 2022-01-19
modified: 2023-01-19
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_xml:
ScriptBlockText|contains|all:
- 'New-Object'
- 'System.Xml.XmlDocument'
- '.Load'
selection_exec:
ScriptBlockText|contains:
- 'IEX '
- 'Invoke-Expression '
- 'Invoke-Command '
- 'ICM -'
condition: all of selection_*
falsepositives:
- Legitimate administrative script
level: medium
Reference in New Issue View Git Blame Copy Permalink