Remote XSL Script Execution via COM
Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/27"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes.
11This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.library-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Remote XSL Script Execution via COM"
18risk_score = 21
19rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a"
20severity = "low"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Initial Access",
26 "Tactic: Defense Evasion",
27 "Data Source: Elastic Defend",
28]
29type = "eql"
30
31query = '''
32sequence with maxspan=1m
33 [library where host.os.type == "windows" and dll.name : "msxml3.dll" and
34 process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe")] by process.entity_id
35 [process where host.os.type == "windows" and event.action == "start" and
36 process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe") and
37 not process.executable :
38 ("?:\\Windows\\System32\\WerFault.exe",
39 "?:\\Windows\\SysWoW64\\WerFault.exe",
40 "?:\\windows\\splwow64.exe",
41 "?:\\Windows\\System32\\conhost.exe",
42 "?:\\Program Files\\*.exe",
43 "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1566"
51name = "Phishing"
52reference = "https://attack.mitre.org/techniques/T1566/"
53[[rule.threat.technique.subtechnique]]
54id = "T1566.002"
55name = "Spearphishing Link"
56reference = "https://attack.mitre.org/techniques/T1566/002/"
57
58
59
60[rule.threat.tactic]
61id = "TA0001"
62name = "Initial Access"
63reference = "https://attack.mitre.org/tactics/TA0001/"
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1220"
68name = "XSL Script Processing"
69reference = "https://attack.mitre.org/techniques/T1220/"
70
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Potential Masquerading as Business App Installer
- Potential Remote File Execution via MSIEXEC
- SolarWinds Process Disabling Services via Registry
- Suspicious Explorer Child Process
- Suspicious MS Office Child Process