CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
46b0594150f79a15992cc451384f4e204c673dd3
hayabusa/rules/sigma/process_creation/win_xsl_script_processing.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

49 lines
1.4 KiB
YAML
Raw Blame History

title: XSL Script Processing
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
description: Extensible Stylesheet Language (XSL) files are commonly used to describe
the processing and rendering of data within XML files. Rule detects when adversaries
abuse this functionality to execute arbitrary files while potentially bypassing
application whitelisting defenses.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\wmic.exe'
SELECTION_3:
CommandLine: '*/format*'
SELECTION_4:
Image: '*\msxsl.exe'
SELECTION_5:
CommandLine:
- '*/Format:List*'
- '*/Format:htable*'
- '*/Format:hform*'
- '*/Format:table*'
- '*/Format:mof*'
- '*/Format:value*'
- '*/Format:rawxml*'
- '*/Format:xml*'
- '*/Format:csv*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4) and not
(SELECTION_5))
falsepositives:
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
- msxsl.exe is not installed by default, so unlikely.
- Static format arguments - https://petri.com/command-line-wmi-part-3
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/11/29
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
status: test
tags:
- attack.defense_evasion
- attack.t1220
- attack.execution
Reference in New Issue View Git Blame Copy Permalink