rules/windows/sysmon/sysmon_xsl_script_processing.yml

title: XSL Script Processing
status: experimental
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses
author: Timur Zinniatullin, oscd.community
references:
    - https://attack.mitre.org/techniques/T1220/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        ParentImage:
          - '*\wmic.exe'
        ParentCommandLine:
          - '*/format*' # wmic process list /FORMAT /?
    selection2:
        Image:
          - '*\msxsl.exe*'
    condition:
        selection1 or selection2
falsepositives:
    - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment
    - msxsl.exe is not installed by default so unlikely.
level: medium
tags:
    - attack.execution
    - attack.t1220
OSCD Task 7 ART T1220 2019-10-21 22:22:55 +03:00			`title: XSL Script Processing`
			`status: experimental`
Update sysmon_xsl_script_processing.yml 2019-10-21 23:51:39 +03:00			`description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses`
OSCD Task 7 ART T1220 2019-10-21 22:22:55 +03:00			`author: Timur Zinniatullin, oscd.community`
			`references:`
			`- https://attack.mitre.org/techniques/T1220/`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml`
			`logsource:`
Update sysmon_xsl_script_processing.yml 2019-10-22 00:06:10 +03:00			`category: process_creation`
OSCD Task 7 ART T1220 2019-10-21 22:22:55 +03:00			`product: windows`
			`detection:`
			`selection1:`
			`ParentImage:`
Update sysmon_xsl_script_processing.yml 2019-10-21 23:39:33 +03:00			`- '*\wmic.exe'`
OSCD Task 7 ART T1220 2019-10-21 22:22:55 +03:00			`ParentCommandLine:`
Update sysmon_xsl_script_processing.yml 2019-10-22 15:20:15 +03:00			`- '/format' # wmic process list /FORMAT /?`
OSCD Task 7 ART T1220 2019-10-21 22:22:55 +03:00			`selection2:`
			`Image:`
Update sysmon_xsl_script_processing.yml 2019-10-21 23:46:11 +03:00			`- '\msxsl.exe'`
OSCD Task 7 ART T1220 2019-10-21 22:22:55 +03:00			`condition:`
			`selection1 or selection2`
			`falsepositives:`
Update sysmon_xsl_script_processing.yml 2019-10-21 23:46:11 +03:00			`- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment`
			`- msxsl.exe is not installed by default so unlikely.`
OSCD Task 7 ART T1220 2019-10-21 22:22:55 +03:00			`level: medium`
			`tags:`
Update sysmon_xsl_script_processing.yml 2019-10-22 00:08:46 +03:00			`- attack.execution`
OSCD Task 7 ART T1220 2019-10-21 22:22:55 +03:00			`- attack.t1220`