EXPLORE
Sign In
← Back to Explore
T1220

XSL Script Processing

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017) Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing applicatio...

Windows
12
Detections
3
Sources
2
Threat Actors

BY SOURCE

5sigma4elastic3splunk_escu

PROCEDURES (8)

Bypass2 detections

Auto-extracted: 2 detections for bypass

Bypass2 detections

Auto-extracted: 2 detections for bypass

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Wmi1 detections

Auto-extracted: 1 detections for wmi

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

THREAT ACTORS (2)

Cobalt GroupHigaisa

DETECTIONS (12)

Cisco NVM - Suspicious Network Connection Initiated via MsXsl
splunk_escu
Delayed Execution via Ping
elasticlow
Msxsl.EXE Execution
sigmamedium
Network Connection via MsXsl
elasticlow
Potential Remote SquiblyTwo Technique Execution
sigmahigh
Remote XSL Execution Via Msxsl.EXE
sigmahigh
Remote XSL Script Execution via COM
elasticlow
Suspicious WMIC XSL Script Execution
elasticmedium
WMIC Loading Scripting Libraries
sigmamedium
WMIC XSL Execution via URL
splunk_escu
XSL Script Execution Via WMIC.EXE
sigmamedium
XSL Script Execution With WMIC
splunk_escu