T1220 Splunk · SPL

Detect XSL Script Processing in Splunk

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files support embedded scripting in JavaScript, VBScript, and other languages. Two primary abuse vectors exist: (1) msxsl.exe, Microsoft's command-line XSLT transformation utility, which can execute arbitrary JavaScript or VBScript embedded in local or remote XSL files; and (2) wmic.exe with the /FORMAT switch ('Squiblytwo'), which invokes JScript or VBScript within XSL via WMI. Both techniques leverage trusted Windows tooling to proxy malicious code execution while evading application control solutions such as AppLocker. Since msxsl.exe is not installed by default, adversaries typically drop it alongside their payloads. Real-world usage includes Astaroth, Cobalt Group, and Higaisa.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1220 XSL Script Processing
Canonical reference
https://attack.mitre.org/techniques/T1220/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image)
| eval CommandLine=lower(CommandLine)
| eval is_msxsl=if(match(Image, "msxsl\.exe$"), 1, 0)
| eval is_wmic_format=if(match(Image, "wmic\.exe$") AND match(CommandLine, "/format"), 1, 0)
| where is_msxsl=1 OR is_wmic_format=1
| eval RemoteLoad=if(match(CommandLine, "(https?://|ftp://|\\\\\\\\)"), 1, 0)
| eval SameFileArg=if(match(CommandLine, "(\\S+\\.\\w+)\\s+\\1"), 1, 0)
| eval ArbitraryExt=if(match(CommandLine, "\\.(jpeg|jpg|png|gif|txt|dat|bin|log)\\s"), 1, 0)
| eval XslFormat=if(match(CommandLine, "/format[:\\s]+\\S*\.xsl"), 1, 0)
| eval RemoteXslFormat=if(is_wmic_format=1 AND RemoteLoad=1, 1, 0)
| eval TechniqueVariant=case(
    is_msxsl=1 AND RemoteLoad=1, "msxsl-remote-xsl",
    is_msxsl=1 AND SameFileArg=1, "msxsl-same-file",
    is_msxsl=1 AND ArbitraryExt=1, "msxsl-arbitrary-ext",
    is_msxsl=1, "msxsl-local-xsl",
    RemoteXslFormat=1, "squiblytwo-remote",
    is_wmic_format=1, "squiblytwo-local",
    true(), "unknown")
| eval RiskScore=is_msxsl + RemoteLoad + SameFileArg + ArbitraryExt + RemoteXslFormat
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TechniqueVariant, RemoteLoad, SameFileArg, ArbitraryExt, RiskScore
| sort - _time
high severity high confidence

Detects XSL Script Processing (T1220) abuse via Sysmon Event ID 1 (Process Creation). Identifies msxsl.exe executions — inherently suspicious since the binary is not installed by default — and wmic.exe with /FORMAT referencing XSL files or remote URLs (Squiblytwo). Classifies each alert into a technique variant (msxsl-remote-xsl, msxsl-same-file, msxsl-arbitrary-ext, squiblytwo-remote, squiblytwo-local) and computes a risk score based on the number of suspicious indicators present. Higher risk scores indicate greater confidence of malicious activity.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate XSLT transformations performed by developers or build pipelines using msxsl.exe — rare since the tool is not installed by default
  • WMIC reporting scripts that use /FORMAT with built-in XSL stylesheets from %SystemRoot%\System32\wbem\en-US\
  • XML/XSLT tooling in CI/CD pipelines or data processing workflows invoking msxsl.exe for document transformation
  • System administration scripts using wmic /FORMAT for structured output — verify XSL path resolves to a known-good system location
Download portable Sigma rule (.yml)

Other platforms for T1220

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1msxsl.exe Local XSL Script Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine containing test.xml and test.xsl. Sysmon Event ID 7: Image Load for jscript.dll loaded by msxsl.exe, confirming JScript engine activation. Sysmon Event ID 1: Child process whoami.exe spawned by msxsl.exe (or WScript.Shell). Sysmon Event ID 11: File creation events for test.xml and test.xsl.

  2. Test 2msxsl.exe Same-File Argument Evasion

    Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine showing the same filename appearing twice (e.g., 'selfref.xsl selfref.xsl'). Sysmon Event ID 7: Image Load for jscript.dll by msxsl.exe. Sysmon Event ID 11: File creation for selfref.xsl.

  3. Test 3Squiblytwo — wmic /FORMAT Remote XSL Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing '/FORMAT' and 'http://127.0.0.1:19823/evil.xsl'. Sysmon Event ID 3: Network Connection attempt from wmic.exe to 127.0.0.1:19823 (connection refused, but event is logged). Sysmon Event ID 22: DNS query if a hostname is used instead of IP.

  4. Test 4Squiblytwo — wmic /FORMAT Local XSL File

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing '/FORMAT' and the %TEMP% path to wmic_test.xsl. Sysmon Event ID 7: jscript.dll loaded by wmic.exe. Sysmon Event ID 11: File creation for wmic_test.xsl.

  5. Test 5msxsl.exe Arbitrary Extension Masking

    Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine containing '.jpeg' file extensions instead of .xsl. Sysmon Event ID 7: jscript.dll loaded by msxsl.exe. Sysmon Event ID 11: File creation events for data.jpeg and style.jpeg.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1220 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1218System Binary Proxy ExecutionT1218.010Regsvr32T1047Windows Management InstrumentationT1127Trusted Developer Utilities Proxy ExecutionT1059.007JavaScriptT1059.005Visual BasicT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1566.001Spearphishing AttachmentT1204.002Malicious File

Same Tactic: Defense Evasion

Popular Detections