Techniques
Sample rules
Remote XSL Execution Via Msxsl.EXE
- source: sigma
- technicques:
- t1220
Description
Detects the execution of the “msxsl” binary with an “http” keyword in the command line. This might indicate a potential remote execution of XSL files.
Detection logic
condition: selection
selection:
CommandLine|contains: http
Image|endswith: \msxsl.exe
Msxsl.EXE Execution
- source: sigma
- technicques:
- t1220
Description
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
Detection logic
condition: selection
selection:
Image|endswith: \msxsl.exe