title: XSL Script Processing
status: experimental
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
author: Timur Zinniatullin, oscd.community
references:
    - https://attack.mitre.org/techniques/T1220/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        EventID: 1
        ParentImage:
          - 'C:\Windows\System32\wbem\WMIC.exe'
        ParentCommandLine:
          - '*/FORMAT*' # wmic process list /FORMAT /?
    selection2:
        EventID: 1
        Image:
          - 'C:\Windows\Temp\msxsl.exe'
          - '*msxsl.exe*'
    condition:
        selection1 or selection2
fields:
    -
falsepositives:
    - WMIC.exe - depend on scripts and administrative methods used in the monitored environment
    - msxsl.exe - is not installed by default so unlikely.
level: medium
tags:
    - attack.xsl_script_processing
    - attack.t1220