rules/windows/process_creation/win_xsl_script_processing.yml

title: XSL Script Processing
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
status: test
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
author: Timur Zinniatullin, oscd.community
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
date: 2019/10/21
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    - Image|endswith: '\wmic.exe'
    CommandLine|contains: '/format'     # wmic process list /FORMAT /?
    - Image|endswith: '\msxsl.exe'
  condition: selection
falsepositives:
  - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
  - msxsl.exe is not installed by default, so unlikely.
level: medium
tags:
  - attack.defense_evasion
  - attack.t1220
  - attack.execution   # an old one
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`title: XSL Script Processing`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
			`description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`author: Timur Zinniatullin, oscd.community`
			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md`
			`date: 2019/10/21`
			`modified: 2021/11/27`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`- Image\|endswith: '\wmic.exe'`
			`CommandLine\|contains: '/format' # wmic process list /FORMAT /?`
			`- Image\|endswith: '\msxsl.exe'`
			`condition: selection`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.`
			`- msxsl.exe is not installed by default, so unlikely.`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`level: medium`
			`tags:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- attack.defense_evasion`
			`- attack.t1220`
			`- attack.execution # an old one`