T1220

XSL Script Processing

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files support embedded scripting in JavaScript, VBScript, and other languages. Two primary abuse vectors exist: (1) msxsl.exe, Microsoft's command-line XSLT transformation utility, which can execute arbitrary JavaScript or VBScript embedded in local or remote XSL files; and (2) wmic.exe with the /FORMAT switch ('Squiblytwo'), which invokes JScript or VBScript within XSL via WMI. Both techniques leverage trusted Windows tooling to proxy malicious code execution while evading application control solutions such as AppLocker. Since msxsl.exe is not installed by default, adversaries typically drop it alongside their payloads. Real-world usage includes Astaroth, Cobalt Group, and Higaisa.

Microsoft Sentinel / Defender

kusto

let MsxslExecutions = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "msxsl.exe"
| extend RemoteXsl = ProcessCommandLine has_any ("http://", "https://", "ftp://", "\\\\")
| extend SameFileArg = extract(@"(\S+\.\w+)\s+\1", 0, ProcessCommandLine) != ""
| extend ArbitraryExt = ProcessCommandLine matches regex @"\.(jpeg|jpg|png|gif|txt|dat|bin|log)\s"
| extend Indicator = case(
    RemoteXsl, "remote-xsl-load",
    SameFileArg, "same-file-twice",
    ArbitraryExt, "arbitrary-extension",
    "local-xsl-exec")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteXsl, SameFileArg, ArbitraryExt, Indicator;
let WmicSquiblytwo = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "/FORMAT"
| where ProcessCommandLine has_any (".xsl", ".xslt", "http://", "https://")
| extend RemoteFormat = ProcessCommandLine has_any ("http://", "https://")
| extend LocalXslFormat = ProcessCommandLine matches regex @"/FORMAT[:\s]+\S*\.xsl"
| extend WmiAlias = extract(@"wmic\s+(\w+)\s+", 1, tolower(ProcessCommandLine))
| extend Indicator = iff(RemoteFormat, "squiblytwo-remote", "squiblytwo-local")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteFormat, LocalXslFormat, WmiAlias, Indicator;
union MsxslExecutions, WmicSquiblytwo
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate XSLT transformations performed by developers or build pipelines using msxsl.exe — rare since the tool is not installed by default
WMIC reporting scripts that use /FORMAT with built-in XSL stylesheets from %SystemRoot%\System32\wbem\en-US\ (e.g., wmic process list /FORMAT:list.xsl)
XML/XSLT tooling in CI/CD pipelines or data processing workflows that invoke msxsl.exe for document transformation
System administration scripts that legitimately use wmic /FORMAT for structured output — verify the XSL path resolves to a known-good system location

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image)
| eval CommandLine=lower(CommandLine)
| eval is_msxsl=if(match(Image, "msxsl\.exe$"), 1, 0)
| eval is_wmic_format=if(match(Image, "wmic\.exe$") AND match(CommandLine, "/format"), 1, 0)
| where is_msxsl=1 OR is_wmic_format=1
| eval RemoteLoad=if(match(CommandLine, "(https?://|ftp://|\\\\\\\\)"), 1, 0)
| eval SameFileArg=if(match(CommandLine, "(\\S+\\.\\w+)\\s+\\1"), 1, 0)
| eval ArbitraryExt=if(match(CommandLine, "\\.(jpeg|jpg|png|gif|txt|dat|bin|log)\\s"), 1, 0)
| eval XslFormat=if(match(CommandLine, "/format[:\\s]+\\S*\.xsl"), 1, 0)
| eval RemoteXslFormat=if(is_wmic_format=1 AND RemoteLoad=1, 1, 0)
| eval TechniqueVariant=case(
    is_msxsl=1 AND RemoteLoad=1, "msxsl-remote-xsl",
    is_msxsl=1 AND SameFileArg=1, "msxsl-same-file",
    is_msxsl=1 AND ArbitraryExt=1, "msxsl-arbitrary-ext",
    is_msxsl=1, "msxsl-local-xsl",
    RemoteXslFormat=1, "squiblytwo-remote",
    is_wmic_format=1, "squiblytwo-local",
    true(), "unknown")
| eval RiskScore=is_msxsl + RemoteLoad + SameFileArg + ArbitraryExt + RemoteXslFormat
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TechniqueVariant, RemoteLoad, SameFileArg, ArbitraryExt, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate XSLT transformations performed by developers or build pipelines using msxsl.exe — rare since the tool is not installed by default
WMIC reporting scripts that use /FORMAT with built-in XSL stylesheets from %SystemRoot%\System32\wbem\en-US\
XML/XSLT tooling in CI/CD pipelines or data processing workflows invoking msxsl.exe for document transformation
System administration scripts using wmic /FORMAT for structured output — verify XSL path resolves to a known-good system location

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Process Name") LIKE '%msxsl.exe%' AND ("Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' OR "Command" ILIKE '%ftp://%' OR "Command" ILIKE '%\\\\%') THEN 'msxsl-remote-xsl'
    WHEN LOWER("Process Name") LIKE '%msxsl.exe%' AND "Command" ILIKE ANY ('%.jpeg %', '%.jpg %', '%.png %', '%.gif %', '%.txt %', '%.dat %', '%.bin %', '%.log %') THEN 'msxsl-arbitrary-ext'
    WHEN LOWER("Process Name") LIKE '%msxsl.exe%' THEN 'msxsl-local-xsl'
    WHEN LOWER("Process Name") LIKE '%wmic.exe%' AND "Command" ILIKE '%/format%' AND ("Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%') THEN 'squiblytwo-remote'
    WHEN LOWER("Process Name") LIKE '%wmic.exe%' AND "Command" ILIKE '%/format%' AND ("Command" ILIKE '%.xsl%' OR "Command" ILIKE '%.xslt%') THEN 'squiblytwo-local'
    ELSE 'unknown'
  END AS technique_variant,
  CASE
    WHEN "Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' OR "Command" ILIKE '%ftp://%' THEN 1
    ELSE 0
  END AS remote_load
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (LOWER("Process Name") LIKE '%msxsl.exe%')
    OR (
      LOWER("Process Name") LIKE '%wmic.exe%'
      AND LOWER("Command") LIKE '%/format%'
      AND (LOWER("Command") LIKE '%.xsl%' OR LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%')
    )
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LAST 5000

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon via QRadar Universal DSM or Windows Sysmon DSM

Required Tables

events

False Positives

Legitimate use of msxsl.exe in XML/XSLT processing pipelines by document management or reporting software
System administrators using wmic.exe /FORMAT with local XSL stylesheets for WMI output formatting
Enterprise software deployment tools that include msxsl.exe and execute it during installation or configuration tasks

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where EventID = "1" OR EventCode = "1" OR EventID = "4688"
| eval image_lower = toLowerCase(Image)
| eval cmdline_lower = toLowerCase(CommandLine != null ? CommandLine : CommandLine)
| where (image_lower matches ".*msxsl\.exe$") OR (image_lower matches ".*wmic\.exe$" AND cmdline_lower matches ".*/format.*")
// Classify technique variant
| eval is_msxsl = if(image_lower matches ".*msxsl\.exe$", 1, 0)
| eval is_wmic_format = if(image_lower matches ".*wmic\.exe$" AND cmdline_lower matches ".*/format.*", 1, 0)
| eval remote_load = if(cmdline_lower matches ".*(https?://|ftp://|\\\\\\\\).*", 1, 0)
| eval same_file_arg = if(cmdline_lower matches ".*([^\s]+\.[a-z]+)\s+\1.*", 1, 0)
| eval arbitrary_ext = if(cmdline_lower matches ".*\.(jpeg|jpg|png|gif|txt|dat|bin|log)\s.*", 1, 0)
| eval xsl_format = if(cmdline_lower matches ".*/format[:\s]+[^\s]*\.xslt?.*", 1, 0)
| eval technique_variant = if(is_msxsl=1 AND remote_load=1, "msxsl-remote-xsl",
    if(is_msxsl=1 AND same_file_arg=1, "msxsl-same-file",
    if(is_msxsl=1 AND arbitrary_ext=1, "msxsl-arbitrary-ext",
    if(is_msxsl=1, "msxsl-local-xsl",
    if(is_wmic_format=1 AND remote_load=1, "squiblytwo-remote",
    if(is_wmic_format=1, "squiblytwo-local", "unknown"))))))
| eval risk_score = is_msxsl + remote_load + same_file_arg + arbitrary_ext + (is_wmic_format * xsl_format)
| table _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, technique_variant, remote_load, same_file_arg, arbitrary_ext, risk_score
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon (Sysmon Event ID 1) Windows Security Event Log (Event ID 4688) Sumo Logic Cloud SIEM Enterprise normalized process events

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Legitimate XSLT processing in document management or reporting pipelines that use msxsl.exe to transform XML data
IT operations scripts using wmic.exe /FORMAT for administrative reporting with standard WMI output stylesheets
Development or test environments where msxsl.exe is used as part of automated build and test XML transformation workflows

Google Chronicle / SecOps

yaral

rule t1220_xsl_script_processing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1220 XSL Script Processing via msxsl.exe execution or wmic.exe /FORMAT abuse (Squiblytwo). Both vectors proxy arbitrary script execution through trusted Windows tooling."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1220"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    platform = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline

    (
      // msxsl.exe execution — any invocation
      re.regex($e.target.process.file.full_path, `(?i)msxsl\.exe$`)

      or

      // wmic.exe with /FORMAT targeting XSL/remote URLs (Squiblytwo)
      (
        re.regex($e.target.process.file.full_path, `(?i)wmic\.exe$`)
        and
        re.regex($e.target.process.command_line, `(?i)/format`)
        and
        (
          re.regex($e.target.process.command_line, `(?i)\.xslt?`) or
          re.regex($e.target.process.command_line, `(?i)https?://`) or
          re.regex($e.target.process.command_line, `(?i)ftp://`)
        )
      )
    )

  match:
    $hostname over 5m

  outcome:
    $risk_remote = if(
      re.regex($cmdline, `(?i)(https?://|ftp://|\\\\\\\\)`), 1, 0
    )
    $risk_arbitrary_ext = if(
      re.regex($cmdline, `(?i)\.(jpeg|jpg|png|gif|txt|dat|bin|log)\s`), 1, 0
    )
    $is_squiblytwo = if(
      re.regex($e.target.process.file.full_path, `(?i)wmic\.exe$`) and
      re.regex($cmdline, `(?i)/format`), 1, 0
    )
    $technique_variant = if(
      re.regex($e.target.process.file.full_path, `(?i)msxsl\.exe$`) and
      re.regex($cmdline, `(?i)(https?://|ftp://|\\\\\\\\)`),
      "msxsl-remote-xsl",
      if(
        re.regex($e.target.process.file.full_path, `(?i)msxsl\.exe$`) and
        re.regex($cmdline, `(?i)\.(jpeg|jpg|png|gif|txt|dat|bin|log)\s`),
        "msxsl-arbitrary-ext",
        if(
          re.regex($e.target.process.file.full_path, `(?i)msxsl\.exe$`),
          "msxsl-local-xsl",
          if(
            $is_squiblytwo = 1 and
            re.regex($cmdline, `(?i)(https?://|ftp://)`),
            "squiblytwo-remote",
            "squiblytwo-local"
          )
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows endpoint telemetry via Chronicle forwarder Sysmon via Chronicle ingestion

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Enterprise XML processing pipelines that legitimately invoke msxsl.exe for XSLT transformations on internal file servers accessed via UNC paths
System administrators running wmic.exe /FORMAT with organization-approved XSL stylesheets for WMI data formatting
Software deployment frameworks that drop and execute msxsl.exe as part of an XML-driven installation workflow

CrowdStrike LogScale (CQL)

cql

// T1220 XSL Script Processing — msxsl.exe and wmic.exe /FORMAT (Squiblytwo)
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)msxsl\.exe$/ OR
  (ImageFileName = /(?i)wmic\.exe$/ AND CommandLine = /(?i)/format/i)
| eval is_msxsl = if(ImageFileName = /(?i)msxsl\.exe$/, 1, 0)
| eval is_wmic_format = if(ImageFileName = /(?i)wmic\.exe$/ AND CommandLine = /(?i)/format/, 1, 0)
| eval remote_load = if(CommandLine = /(?i)(https?:\/\/|ftp:\/\/|\\\\)/, 1, 0)
| eval arbitrary_ext = if(CommandLine = /(?i)\.(jpeg|jpg|png|gif|txt|dat|bin|log)\s/, 1, 0)
| eval same_file_arg = if(CommandLine = /([^\s]+\.[a-z]+)\s+\1/, 1, 0)
| eval xsl_format_target = if(CommandLine = /(?i)\/format[:\s]+[^\s]*\.xslt?/, 1, 0)
| eval remote_xsl_format = if(is_wmic_format = 1 AND remote_load = 1, 1, 0)
| eval technique_variant = case(
    is_msxsl = 1 AND remote_load = 1, "msxsl-remote-xsl",
    is_msxsl = 1 AND same_file_arg = 1, "msxsl-same-file",
    is_msxsl = 1 AND arbitrary_ext = 1, "msxsl-arbitrary-ext",
    is_msxsl = 1, "msxsl-local-xsl",
    remote_xsl_format = 1, "squiblytwo-remote",
    is_wmic_format = 1, "squiblytwo-local",
    *,  "unknown")
| eval risk_score = is_msxsl + remote_load + arbitrary_ext + same_file_arg + remote_xsl_format
| table([
    timestamp, ComputerName, UserName, ImageFileName, CommandLine,
    ParentImageFileName, ParentCommandLine,
    technique_variant, remote_load, arbitrary_ext, same_file_arg, risk_score
  ])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (ProcessRollup2) Falcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Legitimate use of msxsl.exe by internal XML/XSLT processing tools accessing shared network drives via UNC paths, which trigger the remote-load indicator
wmic.exe /FORMAT invocations by monitoring or inventory scripts that format WMI output using approved local XSL stylesheets
Automated software packaging or installation processes that invoke msxsl.exe to process XML configuration transforms during deployment

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1220 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

XSL Script Processing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections