Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Powershell XML Execute Command

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Wed Jan 19Updated Thu Jan 196c6c6282-7671-4fe9-a0ce-a2dcebdc342bwindows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic2 selectors
detection:
    selection_xml:
        ScriptBlockText|contains|all:
            - 'New-Object'
            - 'System.Xml.XmlDocument'
            - '.Load'
    selection_exec:
        ScriptBlockText|contains:
            - 'IEX '
            - 'Invoke-Expression '
            - 'Invoke-Command '
            - 'ICM -'
    condition: all of selection_*
False Positives

Legitimate administrative script

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
Status
test
Level
medium
Type
Detection
Created
Wed Jan 19
Modified
Thu Jan 19
Author
François Hubaut
Path
rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
Raw Tags
attack.executionattack.t1059.001
View on GitHub