Remote XSL Script Execution via COM

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Initial Access Tactic: Defense Evasion Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/09/27"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes.
11This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.library-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Remote XSL Script Execution via COM"
18risk_score = 21
19rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a"
20severity = "low"
21tags = [
22    "Domain: Endpoint",
23    "OS: Windows",
24    "Use Case: Threat Detection",
25    "Tactic: Initial Access",
26    "Tactic: Defense Evasion",
27    "Data Source: Elastic Defend",
28]
29type = "eql"
30
31query = '''
32sequence with maxspan=1m
33 [library where host.os.type == "windows" and dll.name : "msxml3.dll" and
34  process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe")] by process.entity_id
35 [process where host.os.type == "windows" and event.action == "start" and
36  process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe") and 
37  not process.executable :
38        ("?:\\Windows\\System32\\WerFault.exe",
39         "?:\\Windows\\SysWoW64\\WerFault.exe",
40         "?:\\windows\\splwow64.exe",
41         "?:\\Windows\\System32\\conhost.exe",
42         "?:\\Program Files\\*.exe",
43         "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1566"
51name = "Phishing"
52reference = "https://attack.mitre.org/techniques/T1566/"
53[[rule.threat.technique.subtechnique]]
54id = "T1566.002"
55name = "Spearphishing Link"
56reference = "https://attack.mitre.org/techniques/T1566/002/"
57
58
59
60[rule.threat.tactic]
61id = "TA0001"
62name = "Initial Access"
63reference = "https://attack.mitre.org/tactics/TA0001/"
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1220"
68name = "XSL Script Processing"
69reference = "https://attack.mitre.org/techniques/T1220/"
70
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top