MsXsl Making Network Connections
Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often leveraged by adversaries to execute malicious scripts and evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "development"
5updated_date = "2023/06/22"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often
11leveraged by adversaries to execute malicious scripts and evade detection.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "MsXsl Making Network Connections"
18risk_score = 47
19rule_id = "870d1753-1078-403e-92d4-735f142edcca"
20severity = "medium"
21tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
22type = "eql"
23
24query = '''
25/* duplicate of Network Connection via MsXsl - b86afe07-0d98-4738-b15d-8d7465f95ff5 */
26
27sequence by process.entity_id
28 [process where host.os.type == "windows" and event.type == "start" and process.name : "msxsl.exe"]
29 [network where host.os.type == "windows" and process.name : "msxsl.exe" and network.direction : ("outgoing", "egress")]
30'''
31
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1220"
37name = "XSL Script Processing"
38reference = "https://attack.mitre.org/techniques/T1220/"
39
40
41[rule.threat.tactic]
42id = "TA0005"
43name = "Defense Evasion"
44reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Clearing Windows Console History
- Clearing Windows Event Logs
- Code Signing Policy Modification Through Built-in tools