XSL Script Processing (T1220)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • XSL Script Processing

Associated Tactics

  • Defense Evasion

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018. Reaqta MSXSL Spearphishing MAR 2018
Desimone, J. (2018, April 18). Status Update. Retrieved September 12, 2024. Twitter SquiblyTwo Detection APR 2018
LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019. LOLBAS Wmic
Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018. Microsoft msxsl.exe
netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved July 3, 2018. Penetration Testing Lab MSXSL July 2017
Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to Proxy Code Execution. Retrieved August 2, 2019. XSL Bypass Mar 2019
Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using <msxsl:script>. Retrieved July 3, 2018. Microsoft XSLT Script Mar 2017