Skip to main content
Prasanna1
Staff
Prasanna1
Staff
August 12, 2020

HUNTS- XSL Script Processing (T1220)

  • August 12, 2020
  • 0 replies
  • 149 views

HUNTS- XSL Script Processing (T1220)

Version 1.0


ATT&CK Technique: XSL Script Processing (T1220)


What this playbook hunts for:

  • XSL scripts can allow a user to bypass application whitelisting by executing untrusted Javascript or VBScript through trusted OS binaries. This playbook executes hunts for three different ways of detecting execution of XSL scripts.


How the playbook works:

  • Generates SIEM query for Sysmon Event ID 1 logs where WMIC.exe was executed with command line arguments containing an .xsl file.

  • Generates SIEM query for Sysmon Event ID 1 logs where a command line argument contains an .xsl file or the process name contains msxsl.exe, but was not executed by WMIC.

  • Generates SIEM query for Sysmon Event ID 1 logs where the parent command line of a process contains an .xsl file.


What results are expected:

  • Name, process ID, and path of process executing the .xsl file

  • Execution time

  • MD5 hash of the executed process

  • Hostname of the computer where the .xsl file was executed

  • User account which launched the process executing the .xsl file


Common follow-on actions:

  • Quarantine host


What inputs are necessary:

  • SIEM

  • Logs: Sysmon Event ID 1: Process creation

  • Hunt start time


What subroutine playbooks are needed:

  • Create and Link Alerts from Hunt (Host-based)

  • Create User from Alert (Host)

  • Link Asset to Alert (POST-CREATE)

  • Create Indicators from MITRE Alert (Process and Hash)

  • Deduplicate Comments (Hunt)


What configurations are needed:

  • Sysmon logging enabled to include logging Event ID 1 


False Positive Potential: Low

  • MSXSL.exe is not installed on Windows by default, but it may be installed by an attacker as part of the payload they drop on a compromised host. In environments where MSXSL.exe is not used or installed at all, a single execution of that process should be considered suspicious. In environments where MSXSL.exe is installed and commonly used, it may be worthwhile to whitelist known good .xsl files.

  • WMIC.exe executions should be monitored and understood as a general practice. The SIEM queries generated by this playbook look specifically for WMIC.exe executions where the command line arguments contain .xsl files, which is a nonstandard way of executing .xsl files and should be considered suspicious.

Terms & ConditionsAccessibility statement