Skip to content

DET0205 Detect XSL Script Abuse via msxsl and wmic

Item Value
ID DET0205
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1220 (XSL Script Processing)

Analytics

Windows

AN0581

Execution of XSL scripts via msxsl.exe or wmic.exe using embedded JScript or VBScript for proxy execution. Detection correlates process creation, command-line patterns, and module load behavior of scripting components (e.g., jscript.dll).

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Mutable Elements
Field Description
CommandLinePattern May need to tune based on encoded input or custom extensions (e.g., .jpeg instead of .xsl).
ParentProcess Legitimate administrative or developer tools may use msxsl; validate the parent process chain.
TimeWindow Temporal correlation window between script engine DLL load and suspicious process spawn.
RemoteXSLDomainWhitelist Filter known safe URLs used by enterprise for XSL transformations.