From 9beeca647054fd605f203bda437e9d6eb1657982 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Mon, 14 Apr 2025 22:34:39 +0200
Subject: [PATCH] feat(rules): Suspicious XSL script execution

Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL
 transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding  scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing
  and rendering of data within XML files.
---
 ...vasion_suspicious_xsl_script_execution.yml | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 rules/defense_evasion_suspicious_xsl_script_execution.yml

diff --git a/rules/defense_evasion_suspicious_xsl_script_execution.yml b/rules/defense_evasion_suspicious_xsl_script_execution.yml
new file mode 100644
index 000000000..b96a8559f
--- /dev/null
+++ b/rules/defense_evasion_suspicious_xsl_script_execution.yml
@@ -0,0 +1,49 @@
+name: Suspicious XSL script execution
+id: 65136b30-14ae-46dd-b8e5-9dfa99690d74
+version: 1.0.0
+description: |
+  Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL
+  transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding 
+  scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing 
+  and rendering of data within XML files.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1220
+  technique.name: XSL Script Processing
+  technique.ref: https://attack.mitre.org/techniques/T1220/
+references:
+  - https://www.ired.team/offensive-security/code-execution/application-whitelisting-bypass-with-wmic-and-xsl
+
+condition: >
+  sequence
+  maxspan 3m
+    |spawn_process and (((ps.child.name ~= 'wmic.exe' or ps.child.pe.file.name ~= 'wmic.exe') and ps.child.cmdline imatches
+      ('* format*:*', '*/format*:*', '*-format*:*')
+        and
+        not
+      ps.child.cmdline imatches
+        (
+          '*format:list*',
+          '*format:htable*',
+          '*format:hform*',
+          '*format:table*',
+          '*format:mof*',
+          '*format:value*',
+          '*format:rawxml*',
+          '*format:xml*',
+          '*format:csv*'
+        )
+      )
+        or
+      ps.child.name ~= 'msxsl.exe' or ps.child.pe.file.name ~= 'msxsl.exe'
+     )
+    | by ps.child.uuid
+    |load_dll and image.name iin ('scrobj.dll', 'vbscript.dll', 'jscript.dll', 'jscript9.dll')| by ps.uuid
+
+output: >
+  Suspicious XSL script executed by process %1.ps.child.name with command line arguments %1.ps.child.args
+severity: high
+
+min-engine-version: 2.4.0