feat(rules): Suspicious XSL script execution

Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL
 transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding  scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing
  and rendering of data within XML files.

Author: rabbitstack

rules/defense_evasion_suspicious_xsl_script_execution.yml

@@ -0,0 +1,34 @@
+name: Suspicious XSL script execution
+id: 65136b30-14ae-46dd-b8e5-9dfa99690d74
+version: 1.0.0
+description: |
+  Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL
+  transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding 
+  scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing 
+  and rendering of data within XML files.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1220
+  technique.name: XSL Script Processing
+  technique.ref: https://attack.mitre.org/techniques/T1220/
+references:
+  - https://www.ired.team/offensive-security/code-execution/application-whitelisting-bypass-with-wmic-and-xsl
+
+condition: >
+  sequence
+  maxspan 3m
+    |spawn_process and (((ps.child.name ~= 'wmic.exe' or ps.child.pe.file.name ~= 'wmic.exe') and ps.child.cmdline imatches
+      ('* format*:*', '*/format*:*', '*-format*:*'))
+        or
+      ps.child.name ~= 'msxsl.exe' or ps.child.pe.file.name ~= 'msxsl.exe'
+     )
+    | by ps.child.uuid
+    |load_dll and image.name iin ('vbscript.dll', 'jscript.dll')| by ps.uuid
+
+output: >
+  Suspicious XSL script executed by process %1.ps.child.name with command line arguments %1.ps.child.args
+severity: high
+
+min-engine-version: 2.4.0