Detectionmediumtest
Powershell MsXml COM Object
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, MatilJCreated Wed Jan 19Updated Thu May 1978aa1347-1517-4454-9982-b338d6df8343windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script
Definition
Requirements: Script Block Logging must be enabled
Detection Logic
Detection Logic1 selector
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object'
- '-ComObject'
- 'MsXml2.'
- 'XmlHttp'
condition: selectionFalse Positives
Legitimate administrative script
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
78aa1347-1517-4454-9982-b338d6df8343
Status
test
Level
medium
Type
Detection
Created
Wed Jan 19
Modified
Thu May 19
Author
Path
rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml
Raw Tags
attack.executionattack.t1059.001