From 784d7138cabe62dcdeb7b72c48fcd7d3dd074a39 Mon Sep 17 00:00:00 2001
From: zinint <zinin.t@gmail.com>
Date: Mon, 21 Oct 2019 22:22:55 +0300
Subject: [PATCH] OSCD Task 7 ART T1220

OSCD Task 7 ART T1220 rule add
---
 .../sysmon/sysmon_xsl_script_processing.yml   | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_xsl_script_processing.yml

diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml
new file mode 100644
index 000000000..67c43e145
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml
@@ -0,0 +1,33 @@
+title: XSL Script Processing
+status: experimental
+description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
+author: Timur Zinniatullin, oscd.community
+references:
+    - https://attack.mitre.org/techniques/T1220/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        ParentImage:
+          - 'C:\Windows\System32\wbem\WMIC.exe'
+        ParentCommandLine:
+          - '*/FORMAT*' # wmic process list /FORMAT /?
+    selection2:
+        EventID: 1
+        Image:
+          - 'C:\Windows\Temp\msxsl.exe'
+          - '*msxsl.exe*'
+    condition:
+        selection1 or selection2
+fields:
+    -
+falsepositives:
+    - WMIC.exe - depend on scripts and administrative methods used in the monitored environment
+    - msxsl.exe - is not installed by default so unlikely.
+level: medium
+tags:
+    - attack.xsl_script_processing
+    - attack.t1220