2019-11-12 22:05:36 +00:00
title : XSL Script Processing
2019-11-12 22:12:27 +00:00
id : 05c36dd6-79d6-4a9a-97da-3db20298ab2d
2019-11-12 22:05:36 +00:00
status : experimental
2021-07-06 09:21:22 +00:00
description : Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries
abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
2019-11-12 22:05:36 +00:00
author : Timur Zinniatullin, oscd.community
date : 2019 /10/21
modified : 2019 /11/04
references :
2021-07-06 09:21:22 +00:00
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
2019-11-12 22:05:36 +00:00
logsource :
category : process_creation
product : windows
detection :
selection :
- Image|endswith : '\wmic.exe'
CommandLine|contains : '/format' # wmic process list /FORMAT /?
- Image|endswith : '\msxsl.exe'
condition : selection
falsepositives :
2021-07-06 09:21:22 +00:00
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
- msxsl.exe is not installed by default, so unlikely.
2019-11-12 22:05:36 +00:00
level : medium
tags :
2020-08-29 16:22:09 +00:00
- attack.defense_evasion
2019-11-12 22:05:36 +00:00
- attack.t1220
2020-08-29 16:22:09 +00:00
- attack.execution # an old one