Network Connection via MsXsl

 1[metadata]
 2creation_date = "2020/03/18"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2025/03/20"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged
11by adversaries to execute malicious scripts and evade detection.
12"""
13from = "now-9m"
14index = [
15    "winlogbeat-*",
16    "logs-endpoint.events.process-*",
17    "logs-endpoint.events.network-*",
18    "logs-windows.sysmon_operational-*",
19]
20language = "eql"
21license = "Elastic License v2"
22name = "Network Connection via MsXsl"
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating Network Connection via MsXsl
29
30MsXsl.exe is a legitimate Windows utility used to transform XML data using XSLT stylesheets. Adversaries exploit it to execute malicious scripts, bypassing security measures. The detection rule identifies suspicious network activity by MsXsl.exe, focusing on connections to non-local IPs, which may indicate unauthorized data exfiltration or command-and-control communication.
31
32### Possible investigation steps
33
34- Review the process execution details for msxsl.exe, focusing on the process.entity_id and event.type fields to confirm the process start event and gather initial context.
35- Analyze the network connection details, particularly the destination.ip field, to identify the external IP address msxsl.exe attempted to connect to and assess its reputation or any known associations with malicious activity.
36- Check for any related alerts or logs involving the same process.entity_id to determine if msxsl.exe has been involved in other suspicious activities or if there are patterns of behavior indicating a broader attack.
37- Investigate the parent process of msxsl.exe to understand how it was launched and whether it was initiated by a legitimate application or a potentially malicious script.
38- Examine the system for any additional indicators of compromise, such as unusual file modifications or other processes making unexpected network connections, to assess the scope of potential adversarial activity.
39
40### False positive analysis
41
42- Legitimate use of msxsl.exe for XML transformations in enterprise applications may trigger alerts. Users should identify and whitelist known applications or processes that use msxsl.exe for legitimate purposes.
43- Automated scripts or scheduled tasks that utilize msxsl.exe for data processing can cause false positives. Review and document these tasks, then create exceptions for their network activity.
44- Development or testing environments where msxsl.exe is used for debugging or testing XML transformations might be flagged. Ensure these environments are recognized and excluded from monitoring if they are verified as non-threatening.
45- Internal network tools or monitoring solutions that leverage msxsl.exe for legitimate network communications should be identified. Add these tools to an exception list to prevent unnecessary alerts.
46- Regularly review and update the list of excluded IP addresses to ensure that only trusted and verified internal IPs are exempt from triggering the rule.
47
48### Response and remediation
49
50- Immediately isolate the affected system from the network to prevent further unauthorized data exfiltration or command-and-control communication.
51- Terminate the msxsl.exe process if it is still running to stop any ongoing malicious activity.
52- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious scripts or files associated with msxsl.exe.
53- Review and analyze the network logs to identify any other systems that may have been targeted or compromised by similar activity.
54- Restore the affected system from a known good backup if any critical system files or configurations have been altered.
55- Implement network segmentation to limit the ability of msxsl.exe or similar utilities to make unauthorized external connections in the future.
56- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been impacted."""
57references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
58risk_score = 21
59rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5"
60severity = "low"
61tags = [
62    "Domain: Endpoint",
63    "OS: Windows",
64    "Use Case: Threat Detection",
65    "Tactic: Defense Evasion",
66    "Data Source: Elastic Defend",
67    "Data Source: Sysmon",
68    "Resources: Investigation Guide",
69]
70type = "eql"
71
72query = '''
73sequence by process.entity_id
74  [process where host.os.type == "windows" and process.name : "msxsl.exe" and event.type == "start"]
75  [network where host.os.type == "windows" and process.name : "msxsl.exe" and
76     not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
77       "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32",
78       "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4",
79       "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
80       "FE80::/10", "FF00::/8")]
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1220"
88name = "XSL Script Processing"
89reference = "https://attack.mitre.org/techniques/T1220/"
90
91
92[rule.threat.tactic]
93id = "TA0005"
94name = "Defense Evasion"
95reference = "https://attack.mitre.org/tactics/TA0005/"