security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Change status for old rules

Browse Source
This commit is contained in:
frack113
2021-11-27 11:33:14 +01:00
parent 6664d6e522
commit 01dc930c17
547 changed files with 11964 additions and 11755 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_xsl_script_processing.yml
+17 -18
View File
@@ -1,27 +1,26 @@
title: XSL Script Processing
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
status: experimental
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries
abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
status: test
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
date: 2019/10/21
modified: 2021/11/27
logsource:
category: process_creation
product: windows
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\wmic.exe'
CommandLine|contains: '/format' # wmic process list /FORMAT /?
- Image|endswith: '\msxsl.exe'
condition: selection
selection:
- Image|endswith: '\wmic.exe'
CommandLine|contains: '/format' # wmic process list /FORMAT /?
- Image|endswith: '\msxsl.exe'
condition: selection
falsepositives:
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
- msxsl.exe is not installed by default, so unlikely.
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
- msxsl.exe is not installed by default, so unlikely.
level: medium
tags:
- attack.defense_evasion
- attack.t1220
- attack.execution # an old one
- attack.defense_evasion
- attack.t1220
- attack.execution # an old one