Remote XSL Script Execution via COM

Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/09/27"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes.
 11This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.library-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Remote XSL Script Execution via COM"
 18risk_score = 21
 19rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a"
 20severity = "low"
 21tags = [
 22    "Domain: Endpoint",
 23    "OS: Windows",
 24    "Use Case: Threat Detection",
 25    "Tactic: Initial Access",
 26    "Tactic: Defense Evasion",
 27    "Data Source: Elastic Defend",
 28    "Resources: Investigation Guide",
 29]
 30type = "eql"
 31
 32query = '''
 33sequence with maxspan=1m
 34 [library where host.os.type == "windows" and dll.name : "msxml3.dll" and
 35  process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe")] by process.entity_id
 36 [process where host.os.type == "windows" and event.action == "start" and
 37  process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe") and
 38  not process.executable :
 39        ("?:\\Windows\\System32\\WerFault.exe",
 40         "?:\\Windows\\SysWoW64\\WerFault.exe",
 41         "?:\\windows\\splwow64.exe",
 42         "?:\\Windows\\System32\\conhost.exe",
 43         "?:\\Program Files\\*.exe",
 44         "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id
 45'''
 46note = """## Triage and analysis
 47
 48> **Disclaimer**:
 49> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 50
 51### Investigating Remote XSL Script Execution via COM
 52
 53The Microsoft.XMLDOM COM interface allows applications to parse and transform XML documents using XSL scripts. Adversaries exploit this by embedding malicious scripts in Office documents, triggering execution via Office processes like Word or Excel. The detection rule identifies suspicious activity by monitoring for the loading of specific DLLs and the execution of unexpected child processes, indicating potential script execution attempts.
 54
 55### Possible investigation steps
 56
 57- Review the alert details to identify the specific Office process (e.g., winword.exe, excel.exe) that triggered the alert and note the process entity ID for further investigation.
 58- Check the process tree to identify any unexpected child processes spawned by the Office application, focusing on those not matching typical system executables like WerFault.exe or conhost.exe.
 59- Investigate the loaded DLLs, specifically msxml3.dll, to confirm its legitimate use and check for any anomalies or unusual patterns in its loading sequence.
 60- Analyze the parent and child process relationships to determine if the execution flow aligns with typical user activity or if it suggests malicious behavior.
 61- Gather additional context by reviewing recent user activity and document interactions to identify any potential phishing attempts or suspicious document handling that could have led to the alert.
 62- Correlate the findings with other security events or alerts in the environment to assess if this activity is part of a broader attack pattern or isolated incident.
 63
 64### False positive analysis
 65
 66- Legitimate use of Microsoft Office applications for XML processing can trigger the rule. Users should identify and whitelist known applications or scripts that regularly perform XML transformations using the Microsoft.XMLDOM COM interface.
 67- Automated document processing systems that utilize Office applications to handle XML data might cause false positives. Exclude these systems by specifying their process names or executable paths in the detection rule.
 68- Software updates or installations that involve Office applications may load the msxml3.dll and start child processes. Temporarily disable the rule during scheduled maintenance or update windows to prevent false alerts.
 69- Custom Office add-ins or macros that interact with XML files could be misidentified as threats. Review and approve these add-ins, then adjust the rule to exclude their specific behaviors.
 70- Regular business processes that involve document conversion or data extraction using Office tools might be flagged. Document these processes and create exceptions based on their unique characteristics, such as specific file paths or process names.
 71
 72### Response and remediation
 73
 74- Immediately isolate the affected system from the network to prevent further spread of the malicious script execution.
 75- Terminate any suspicious processes identified as child processes of Office applications, such as winword.exe or excel.exe, that are not part of the standard executable paths.
 76- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious scripts or files.
 77- Review and restore any altered or deleted files from secure backups to ensure data integrity and system functionality.
 78- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 79- Implement application whitelisting to restrict the execution of unauthorized scripts and executables, particularly those not located in standard directories.
 80- Enhance monitoring and alerting for similar activities by ensuring that the detection rule is actively deployed and that alerts are configured to notify the appropriate personnel promptly."""
 81
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85[[rule.threat.technique]]
 86id = "T1566"
 87name = "Phishing"
 88reference = "https://attack.mitre.org/techniques/T1566/"
 89[[rule.threat.technique.subtechnique]]
 90id = "T1566.002"
 91name = "Spearphishing Link"
 92reference = "https://attack.mitre.org/techniques/T1566/002/"
 93
 94
 95
 96[rule.threat.tactic]
 97id = "TA0001"
 98name = "Initial Access"
 99reference = "https://attack.mitre.org/tactics/TA0001/"
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1220"
104name = "XSL Script Processing"
105reference = "https://attack.mitre.org/techniques/T1220/"
106
107
108[rule.threat.tactic]
109id = "TA0005"
110name = "Defense Evasion"
111reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Remote XSL Script Execution via COM

The Microsoft.XMLDOM COM interface allows applications to parse and transform XML documents using XSL scripts. Adversaries exploit this by embedding malicious scripts in Office documents, triggering execution via Office processes like Word or Excel. The detection rule identifies suspicious activity by monitoring for the loading of specific DLLs and the execution of unexpected child processes, indicating potential script execution attempts.

Possible investigation steps

  • Review the alert details to identify the specific Office process (e.g., winword.exe, excel.exe) that triggered the alert and note the process entity ID for further investigation.
  • Check the process tree to identify any unexpected child processes spawned by the Office application, focusing on those not matching typical system executables like WerFault.exe or conhost.exe.
  • Investigate the loaded DLLs, specifically msxml3.dll, to confirm its legitimate use and check for any anomalies or unusual patterns in its loading sequence.
  • Analyze the parent and child process relationships to determine if the execution flow aligns with typical user activity or if it suggests malicious behavior.
  • Gather additional context by reviewing recent user activity and document interactions to identify any potential phishing attempts or suspicious document handling that could have led to the alert.
  • Correlate the findings with other security events or alerts in the environment to assess if this activity is part of a broader attack pattern or isolated incident.

False positive analysis

  • Legitimate use of Microsoft Office applications for XML processing can trigger the rule. Users should identify and whitelist known applications or scripts that regularly perform XML transformations using the Microsoft.XMLDOM COM interface.
  • Automated document processing systems that utilize Office applications to handle XML data might cause false positives. Exclude these systems by specifying their process names or executable paths in the detection rule.
  • Software updates or installations that involve Office applications may load the msxml3.dll and start child processes. Temporarily disable the rule during scheduled maintenance or update windows to prevent false alerts.
  • Custom Office add-ins or macros that interact with XML files could be misidentified as threats. Review and approve these add-ins, then adjust the rule to exclude their specific behaviors.
  • Regular business processes that involve document conversion or data extraction using Office tools might be flagged. Document these processes and create exceptions based on their unique characteristics, such as specific file paths or process names.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further spread of the malicious script execution.
  • Terminate any suspicious processes identified as child processes of Office applications, such as winword.exe or excel.exe, that are not part of the standard executable paths.
  • Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious scripts or files.
  • Review and restore any altered or deleted files from secure backups to ensure data integrity and system functionality.
  • Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
  • Implement application whitelisting to restrict the execution of unauthorized scripts and executables, particularly those not located in standard directories.
  • Enhance monitoring and alerting for similar activities by ensuring that the detection rule is actively deployed and that alerts are configured to notify the appropriate personnel promptly.

Related rules

to-top