Remote XSL Script Execution via COM

Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/09/27"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/01/12"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. 
13This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Remote XSL Script Execution via COM"
20risk_score = 21
21rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a"
22severity = "low"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
24type = "eql"
25
26query = '''
27sequence with maxspan=1m
28 [library where host.os.type == "windows" and dll.name : "msxml3.dll" and
29  process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe")] by process.entity_id
30 [process where host.os.type == "windows" and event.action == "start" and
31  process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe") and 
32  not process.executable :
33        ("?:\\Windows\\System32\\WerFault.exe",
34         "?:\\Windows\\SysWoW64\\WerFault.exe",
35         "?:\\windows\\splwow64.exe",
36         "?:\\Windows\\System32\\conhost.exe",
37         "?:\\Program Files\\*.exe",
38         "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id
39'''
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1566"
45name = "Phishing"
46reference = "https://attack.mitre.org/techniques/T1566/"
47[[rule.threat.technique.subtechnique]]
48id = "T1566.002"
49name = "Spearphishing Link"
50reference = "https://attack.mitre.org/techniques/T1566/002/"
51
52
53
54[rule.threat.tactic]
55id = "TA0001"
56name = "Initial Access"
57reference = "https://attack.mitre.org/tactics/TA0001/"
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1220"
63name = "XSL Script Processing"
64reference = "https://attack.mitre.org/techniques/T1220/"
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top