T1220 IBM QRadar · QRadar

Detect XSL Script Processing in IBM QRadar

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files support embedded scripting in JavaScript, VBScript, and other languages. Two primary abuse vectors exist: (1) msxsl.exe, Microsoft's command-line XSLT transformation utility, which can execute arbitrary JavaScript or VBScript embedded in local or remote XSL files; and (2) wmic.exe with the /FORMAT switch ('Squiblytwo'), which invokes JScript or VBScript within XSL via WMI. Both techniques leverage trusted Windows tooling to proxy malicious code execution while evading application control solutions such as AppLocker. Since msxsl.exe is not installed by default, adversaries typically drop it alongside their payloads. Real-world usage includes Astaroth, Cobalt Group, and Higaisa.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1220 XSL Script Processing
Canonical reference
https://attack.mitre.org/techniques/T1220/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Process Name") LIKE '%msxsl.exe%' AND ("Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' OR "Command" ILIKE '%ftp://%' OR "Command" ILIKE '%\\\\%') THEN 'msxsl-remote-xsl'
    WHEN LOWER("Process Name") LIKE '%msxsl.exe%' AND "Command" ILIKE ANY ('%.jpeg %', '%.jpg %', '%.png %', '%.gif %', '%.txt %', '%.dat %', '%.bin %', '%.log %') THEN 'msxsl-arbitrary-ext'
    WHEN LOWER("Process Name") LIKE '%msxsl.exe%' THEN 'msxsl-local-xsl'
    WHEN LOWER("Process Name") LIKE '%wmic.exe%' AND "Command" ILIKE '%/format%' AND ("Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%') THEN 'squiblytwo-remote'
    WHEN LOWER("Process Name") LIKE '%wmic.exe%' AND "Command" ILIKE '%/format%' AND ("Command" ILIKE '%.xsl%' OR "Command" ILIKE '%.xslt%') THEN 'squiblytwo-local'
    ELSE 'unknown'
  END AS technique_variant,
  CASE
    WHEN "Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' OR "Command" ILIKE '%ftp://%' THEN 1
    ELSE 0
  END AS remote_load
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (LOWER("Process Name") LIKE '%msxsl.exe%')
    OR (
      LOWER("Process Name") LIKE '%wmic.exe%'
      AND LOWER("Command") LIKE '%/format%'
      AND (LOWER("Command") LIKE '%.xsl%' OR LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%')
    )
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LAST 5000
high severity high confidence

AQL query for QRadar detecting T1220 XSL Script Processing. Identifies msxsl.exe executions (with remote URLs, UNC paths, or arbitrary file extensions as XSL arguments) and wmic.exe /FORMAT abuse targeting XSL/XSLT files or remote URLs. Classifies each event into technique variants for triage.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM)Sysmon via QRadar Universal DSM or Windows Sysmon DSM

Required Tables

events

False Positives & Tuning

  • Legitimate use of msxsl.exe in XML/XSLT processing pipelines by document management or reporting software
  • System administrators using wmic.exe /FORMAT with local XSL stylesheets for WMI output formatting
  • Enterprise software deployment tools that include msxsl.exe and execute it during installation or configuration tasks
Download portable Sigma rule (.yml)

Other platforms for T1220

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1msxsl.exe Local XSL Script Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine containing test.xml and test.xsl. Sysmon Event ID 7: Image Load for jscript.dll loaded by msxsl.exe, confirming JScript engine activation. Sysmon Event ID 1: Child process whoami.exe spawned by msxsl.exe (or WScript.Shell). Sysmon Event ID 11: File creation events for test.xml and test.xsl.

  2. Test 2msxsl.exe Same-File Argument Evasion

    Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine showing the same filename appearing twice (e.g., 'selfref.xsl selfref.xsl'). Sysmon Event ID 7: Image Load for jscript.dll by msxsl.exe. Sysmon Event ID 11: File creation for selfref.xsl.

  3. Test 3Squiblytwo — wmic /FORMAT Remote XSL Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing '/FORMAT' and 'http://127.0.0.1:19823/evil.xsl'. Sysmon Event ID 3: Network Connection attempt from wmic.exe to 127.0.0.1:19823 (connection refused, but event is logged). Sysmon Event ID 22: DNS query if a hostname is used instead of IP.

  4. Test 4Squiblytwo — wmic /FORMAT Local XSL File

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing '/FORMAT' and the %TEMP% path to wmic_test.xsl. Sysmon Event ID 7: jscript.dll loaded by wmic.exe. Sysmon Event ID 11: File creation for wmic_test.xsl.

  5. Test 5msxsl.exe Arbitrary Extension Masking

    Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine containing '.jpeg' file extensions instead of .xsl. Sysmon Event ID 7: jscript.dll loaded by msxsl.exe. Sysmon Event ID 11: File creation events for data.jpeg and style.jpeg.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1220 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1218System Binary Proxy ExecutionT1218.010Regsvr32T1047Windows Management InstrumentationT1127Trusted Developer Utilities Proxy ExecutionT1059.007JavaScriptT1059.005Visual BasicT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1566.001Spearphishing AttachmentT1204.002Malicious File

Same Tactic: Defense Evasion

Popular Detections