One possibility is at least one of those devices weren't patched for EternalBlue making the installation a "sitting duck" for a Monero WannaMine attack as described here: https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fileless-attacks/
If you installed Windows Management Core framework as noted here on XP SP3: https://www.microsoft.com/en-us/download/details.aspx?id=16818 , Powershell 2.0 is also installed.
Correct. But it is not usually installed. Those who use XP even today should also uninstall each version of the NET Framework.
Also an attacker doesn't need to have Powershell 2.0 installed to run PowerShell 2.0 code: https://github.com/EmpireProject/Empire
Getting back on topic, the reason I posted the Panda link is because I am working with a user in another forum that got nailed by a Monero coin miner on his server. His attack is strikingly similar to that described in the Panda article. A WMI consumer event was established to run a PowerShell command identical to that noted in the Panda write up. In this European water utility attack and barring further details, it can be assumed that Win Mgmt. framework was installed since that also includes Win Remote Mgmt. that would be needed to monitor the devices attached to the network. It can be also assumed that some type of Internet access was also allowed. I suspect additionally that RDP was also enabled in some fashion to allow for remote server access. If indeed this turns out to be a WMI-PowerShell based attack, there is a strong likelihood that a brute force RDP attack initiated the malware infection sequence of events. Almost all recent WMI - PowerShell attacks against servers I have observed were done this way.
http://www.eweek.com/security/water-utility-in-europe-hit-by-cryptocurrency-malware-mining-attack Nice ........ Sure sounds to me that those XP servers were not patched against EternalBlue. And as noted, it appears the internal network was not isolated from any devices on the external network that had Internet access.
Maybe using I.E.8. P.S. It is interesting to note that after June 2018 the use of I.E. 8 in a W.XP system with Trick POS ready 2009 will be considered safer than other browsers. The limitation will be in the opening of some HTTPS websites. A lightening of the problem could be the implementation of the TLS 1.1 and 1.2 protocols. Which is fully operational always thanks to a Registry Hacks.
Again, I assume none of the XP servers had a browser installed or for that matter had direct access to the Internet. I don't believe the concern was that dumb. What happened most likely was that an external PC that had access to the servers for monitoring purposes was the vehicle for the attack. A worm was downloaded to it. The worm then proceeded to search out network connections to install the coin miner on. Again RDP is the most common vector used in these types of attacks. -EDIT- Sophos has a good article on RDP attacks here: https://nakedsecurity.sophos.com/2017/11/15/ransomware-spreading-hackers-sneak-in-through-rdp/
One other thing in regards to WannaMine, the attack doesn't need the target to be unpatched against EternalBlue to succeed as noted below: https://motherboard.vice.com/en_us/article/yw5yp7/monero-mining-wannamine-wannacry-nsa
Another point to note about WMI consumer events is they don't need to be CommandLineEventConsumer events used to run PowerShell. A much stealthier method when only a remote connection is needed as in the case of coin miners is to use an ActiveScriptEventConsumer - executes an embedded VBScript or JScript script payload. Also none of your security methods to detect like script execution would help since WMI contains its own built-in script engine to run the scripts.