From cd43354c04b8b905435f71bc80d5ce4a85f5481c Mon Sep 17 00:00:00 2001 From: zinint Date: Mon, 4 Nov 2019 23:47:23 +0300 Subject: [PATCH] Delete sysmon_xsl_script_processing.yml --- .../sysmon/sysmon_xsl_script_processing.yml | 26 ------------------- 1 file changed, 26 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_xsl_script_processing.yml diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml deleted file mode 100644 index c849ab071..000000000 --- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: XSL Script Processing -status: experimental -description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses -author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2019/11/04 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml -logsource: - category: process_creation - product: windows -detection: - selection1: - ParentImage: '*\wmic.exe' - ParentCommandLine|contains: '/format' # wmic process list /FORMAT /? - selection2: - Image: '*\msxsl.exe' - condition: - selection1 or selection2 -falsepositives: - - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment - - msxsl.exe is not installed by default so unlikely. -level: medium -tags: - - attack.execution - - attack.t1220