Detectionhightest

Remote XSL Execution Via Msxsl.EXE

Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan PoudelCreated Thu Nov 0975d0a94e-6252-448d-a7be-d953dff527bbwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\msxsl.exe'
        CommandLine|contains: 'http'
    condition: selection

False Positives

Msxsl is not installed by default and is deprecated, so unlikely on most systems.

References

Resolving title…

github.com

Resolving title…

lolbas-project.github.io

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1220 · XSL Script Processing

Rule Metadata

Rule ID

75d0a94e-6252-448d-a7be-d953dff527bb

Status

test

Level

high

Type

Detection

Created

Thu Nov 09

Author

Swachchhanda Shrawan Poudel

Path

rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml

Raw Tags

attack.defense-evasionattack.t1220

View on GitHub