-
-
Notifications
You must be signed in to change notification settings - Fork 212
Expand file tree
/
Copy pathdefense_evasion_suspicious_xsl_script_execution.yml
More file actions
48 lines (45 loc) · 1.79 KB
/
defense_evasion_suspicious_xsl_script_execution.yml
File metadata and controls
48 lines (45 loc) · 1.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: Suspicious XSL script execution
id: 65136b30-14ae-46dd-b8e5-9dfa99690d74
version: 1.0.7
description: |
Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL
transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding
scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing
and rendering of data within XML files.
labels:
tactic.id: TA0005
tactic.name: Defense Evasion
tactic.ref: https://attack.mitre.org/tactics/TA0005/
technique.id: T1220
technique.name: XSL Script Processing
technique.ref: https://attack.mitre.org/techniques/T1220/
references:
- https://www.ired.team/offensive-security/code-execution/application-whitelisting-bypass-with-wmic-and-xsl
condition: >
sequence
maxspan 3m
by ps.uuid
|spawn_process and
(((ps.name ~= 'wmic.exe' or ps.pe.file.name ~= 'wmic.exe') and
ps.cmdline imatches ('* format*:*', '*/format*:*', '*-format*:*') and
ps.cmdline not imatches
(
'*format:list*',
'*format:htable*',
'*format:hform*',
'*format:table*',
'*format:mof*',
'*format:value*',
'*format:rawxml*',
'*format:xml*',
'*format:csv*'
)
) or
ps.name ~= 'msxsl.exe' or ps.pe.file.name ~= 'msxsl.exe'
)
|
|load_dll and dll.name iin ('scrobj.dll', 'vbscript.dll', 'jscript.dll', 'jscript9.dll')|
output: >
Suspicious XSL script executed by process %1.ps.name with command line arguments %1.ps.args
severity: high
min-engine-version: 3.0.0