Remote XSL Script Execution via COM
Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/27"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes.
13This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "logs-endpoint.events.library-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Remote XSL Script Execution via COM"
20risk_score = 21
21rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a"
22severity = "low"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
24type = "eql"
25
26query = '''
27sequence with maxspan=1m
28 [library where host.os.type == "windows" and dll.name : "msxml3.dll" and
29 process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe")] by process.entity_id
30 [process where host.os.type == "windows" and event.action == "start" and
31 process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe") and
32 not process.executable :
33 ("?:\\Windows\\System32\\WerFault.exe",
34 "?:\\Windows\\SysWoW64\\WerFault.exe",
35 "?:\\windows\\splwow64.exe",
36 "?:\\Windows\\System32\\conhost.exe",
37 "?:\\Program Files\\*.exe",
38 "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id
39'''
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1566"
45name = "Phishing"
46reference = "https://attack.mitre.org/techniques/T1566/"
47[[rule.threat.technique.subtechnique]]
48id = "T1566.002"
49name = "Spearphishing Link"
50reference = "https://attack.mitre.org/techniques/T1566/002/"
51
52
53
54[rule.threat.tactic]
55id = "TA0001"
56name = "Initial Access"
57reference = "https://attack.mitre.org/tactics/TA0001/"
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1220"
63name = "XSL Script Processing"
64reference = "https://attack.mitre.org/techniques/T1220/"
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Potential Remote File Execution via MSIEXEC
- Potential Masquerading as Business App Installer
- SolarWinds Process Disabling Services via Registry
- Suspicious Explorer Child Process
- Suspicious MS Office Child Process