Msxsl.EXE Execution
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
Sigma rule (View on GitHub)
1title: Msxsl.EXE Execution
2id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0
3status: test
4description: |
5 Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.
6 Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
9 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
10author: Timur Zinniatullin, oscd.community
11date: 2019-10-21
12modified: 2023-11-09
13tags:
14 - attack.defense-evasion
15 - attack.t1220
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\msxsl.exe'
22 condition: selection
23falsepositives:
24 - Msxsl is not installed by default and is deprecated, so unlikely on most systems.
25# Note: If you levreage this utility please consider adding additional filters. As this is looking for "any" type of execition
26level: medium
References
Related rules
- WMIC Loading Scripting Libraries
- XSL Script Execution Via WMIC.EXE
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType