title: XSL Script Processing
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
description: Extensible Stylesheet Language (XSL) files are commonly used to describe
  the processing and rendering of data within XML files. Rule detects when adversaries
  abuse this functionality to execute arbitrary files while potentially bypassing
  application whitelisting defenses.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\wmic.exe'
  SELECTION_3:
    CommandLine: '*/format*'
  SELECTION_4:
    Image: '*\msxsl.exe'
  SELECTION_5:
    CommandLine:
    - '*/Format:List*'
    - '*/Format:htable*'
    - '*/Format:hform*'
    - '*/Format:table*'
    - '*/Format:mof*'
    - '*/Format:value*'
    - '*/Format:rawxml*'
    - '*/Format:xml*'
    - '*/Format:csv*'
  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4) and  not
    (SELECTION_5))
falsepositives:
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
- msxsl.exe is not installed by default, so unlikely.
- Static format arguments - https://petri.com/command-line-wmi-part-3
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
level: medium
logsource:
  category: process_creation
  product: windows
modified: 2021/11/29
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
status: test
tags:
- attack.defense_evasion
- attack.t1220
- attack.execution