EXPLORE

← Back to Explore

T1220

XSL Script Processing

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017) Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing applicatio...

Windows

12

Detections

3

Sources

2

Threat Actors

BY SOURCE

5sigma4elastic3splunk_escu

PROCEDURES (8)

Remote2 detections

Auto-extracted: 2 detections for remote

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Wmi2 detections

Auto-extracted: 2 detections for wmi

Privilege1 detections

Auto-extracted: 1 detections for privilege

Bypass1 detections

Auto-extracted: 1 detections for bypass

Wmi1 detections

Auto-extracted: 1 detections for wmi

Wmi1 detections

Auto-extracted: 1 detections for wmi

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

THREAT ACTORS (2)

Cobalt Group Higaisa

DETECTIONS (12)

Cisco NVM - Suspicious Network Connection Initiated via MsXsl

Delayed Execution via Ping

Msxsl.EXE Execution

Network Connection via MsXsl

Potential Remote SquiblyTwo Technique Execution

Remote XSL Execution Via Msxsl.EXE

Remote XSL Script Execution via COM

Suspicious WMIC XSL Script Execution

WMIC Loading Scripting Libraries

WMIC XSL Execution via URL

XSL Script Execution Via WMIC.EXE

XSL Script Execution With WMIC