Remote XSL Execution Via Msxsl.EXE

Rule Info

Name
Remote XSL Execution Via Msxsl.EXE
Author
Swachchhanda Shrawan Poudel
Description
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
Reference
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
Date
2023-11-09 00:00:00
Modified
None
Id
75d0a94e-6252-448d-a7be-d953dff527bb
Tags
attack.defense-evasion attack.t1220
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=75d0a94e-6252-448d-a7be-d953dff527bb

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5027 from @nasbench - Promote older rules status from `experimental` to `test`
2024-10-01
08c52c367
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Swachchhanda Shrawan Poudel
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14
fc716d14f
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022