Powershell MsXml COM Object

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Sigma rule (View on GitHub)

 1title: Powershell MsXml COM Object
 2id: 78aa1347-1517-4454-9982-b338d6df8343
 3status: test
 4description: |
 5    Adversaries may abuse PowerShell commands and scripts for execution.
 6    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
 7    Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
10    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
11    - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
12author: frack113, MatilJ
13date: 2022-01-19
14modified: 2022-05-19
15tags:
16    - attack.execution
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: ps_script
21    definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23    selection:
24        ScriptBlockText|contains|all:
25            - 'New-Object'
26            - '-ComObject'
27            - 'MsXml2.'
28            - 'XmlHttp'
29    condition: selection
30falsepositives:
31    - Legitimate administrative script
32level: medium

References

Related rules

to-top