feat(rules): Suspicious XSL script execution

rabbitstack · rabbitstack · commit 9beeca647054 · 2025-04-14T22:34:39.000+02:00
Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL
 transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding  scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing
  and rendering of data within XML files.
diff --git a/rules/defense_evasion_suspicious_xsl_script_execution.yml b/rules/defense_evasion_suspicious_xsl_script_execution.yml
@@ -0,0 +1,49 @@
+name: Suspicious XSL script execution
+id: 65136b30-14ae-46dd-b8e5-9dfa99690d74
+version: 1.0.0
+description: |
+  Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL
+  transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding 
+  scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing 
+  and rendering of data within XML files.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1220
+  technique.name: XSL Script Processing
+  technique.ref: https://attack.mitre.org/techniques/T1220/
+references:
+  - https://www.ired.team/offensive-security/code-execution/application-whitelisting-bypass-with-wmic-and-xsl
+
+condition: >
+  sequence
+  maxspan 3m
+    |spawn_process and (((ps.child.name ~= 'wmic.exe' or ps.child.pe.file.name ~= 'wmic.exe') and ps.child.cmdline imatches
+      ('* format*:*', '*/format*:*', '*-format*:*')
+        and
+        not
+      ps.child.cmdline imatches
+        (
+          '*format:list*',
+          '*format:htable*',
+          '*format:hform*',
+          '*format:table*',
+          '*format:mof*',
+          '*format:value*',
+          '*format:rawxml*',
+          '*format:xml*',
+          '*format:csv*'
+        )
+      )
+        or
+      ps.child.name ~= 'msxsl.exe' or ps.child.pe.file.name ~= 'msxsl.exe'
+     )
+    | by ps.child.uuid
+    |load_dll and image.name iin ('scrobj.dll', 'vbscript.dll', 'jscript.dll', 'jscript9.dll')| by ps.uuid
+
+output: >
+  Suspicious XSL script executed by process %1.ps.child.name with command line arguments %1.ps.child.args
+severity: high
+
+min-engine-version: 2.4.0
