attack.t1220

Potential SquiblyTwo Technique Execution

Nov 25, 2024 · attack.defense-evasion attack.t1047 attack.t1220 attack.execution attack.t1059.005 attack.t1059.007 ·

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Remote XSL Execution Via Msxsl.EXE

Oct 1, 2024 · attack.defense-evasion attack.t1220 ·

Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.

Msxsl.EXE Execution

Aug 12, 2024 · attack.defense-evasion attack.t1220 ·

Share on:

Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.

WMIC Loading Scripting Libraries

Aug 12, 2024 · attack.defense-evasion attack.t1220 ·

Share on:

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

XSL Script Execution Via WMIC.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1220 ·

Share on:

Detects the execution of WMIC with the "format" flag to potentially load XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.