XSL Script Processing
XSL Script Processing [T1220]
Information
Name: XSL Script Processing
ID: T1220
Tactics: TA0005
Introduction
XSL Script Processing (T1220) is a technique documented within the MITRE ATT&CK framework that involves attackers abusing Extensible Stylesheet Language (XSL) files for malicious purposes. XSL files are typically used to transform XML documents into other formats. However, adversaries exploit the scripting capabilities within XSL files to execute arbitrary code, evade detection, and bypass security controls.
Deep Dive Into Technique
XSL Script Processing leverages legitimate functionality provided by XSL processors, such as Microsoft's msxsl.exe, to execute arbitrary scripts embedded within XSL files. Attackers typically follow these steps:
Preparation of Malicious XSL Files:
Attackers craft malicious XSL files containing embedded scripts (e.g., JavaScript, VBScript).
These scripts often include commands designed to download additional payloads, execute binaries, or perform reconnaissance.
Execution via Legitimate Utilities:
Adversaries leverage trusted Windows utilities like msxsl.exe or wmic.exe to process XSL files and execute embedded scripts.
Example command using msxsl.exe:
Example command using wmic.exe:
Bypassing Security Controls:
XSL Script Processing is often overlooked by traditional antivirus and endpoint detection tools, as it leverages legitimate system utilities.
It can evade application whitelisting, since the utilities used (msxsl.exe, wmic.exe) are typically allowed and trusted.
Persistence and Execution Mechanisms:
Attackers may schedule tasks or scripts to regularly invoke malicious XSL files, ensuring persistence on compromised systems.
Scripts embedded in XSL files can be dynamically updated, providing attackers flexibility and adaptability in their attacks.
When this Technique is Usually Used
XSL Script Processing is typically observed in various attack stages and scenarios, including:
Initial Access and Execution:
Attackers may utilize phishing emails or malicious attachments containing XSL files.
Malicious documents or scripts may invoke XSL transformations to execute embedded payloads.
Defense Evasion:
Attackers commonly use this technique to bypass application whitelisting, antivirus detection, and endpoint security solutions.
It leverages trusted utilities, making detection more challenging.
Persistence:
Attackers may establish persistence by scheduling tasks or scripts that regularly execute malicious XSL files.
Command and Control (C2):
Malicious XSL scripts can establish communication channels with attacker-controlled servers, enabling remote command execution.
How this Technique is Usually Detected
Detection of XSL Script Processing involves multiple methods and tools, including:
Monitoring Process Execution:
Monitor execution of utilities such as
msxsl.exeandwmic.exefor unusual or unexpected command-line arguments referencing remote locations or suspicious files.
Endpoint Detection and Response (EDR):
EDR solutions can detect anomalous behavior involving XSL transformations, particularly when scripts execute external payloads or communicate with remote servers.
File Integrity Monitoring (FIM):
FIM tools can detect unauthorized creation or modification of XSL files on endpoints.
Network Traffic Analysis:
Inspect network traffic for unusual HTTP requests or downloads of XSL files from external or suspicious domains.
Specific Indicators of Compromise (IoCs):
Suspicious command-line invocations:
Unusual XSL files containing embedded scripting languages (JavaScript, VBScript).
Unexpected outbound HTTP requests retrieving XSL files from unknown domains or IP addresses.
Why it is Important to Detect This Technique
Early detection of XSL Script Processing is critical due to its potential impact on systems and networks, including:
Bypassing Security Controls:
Attackers leverage legitimate system utilities, reducing the effectiveness of traditional antivirus and whitelisting solutions.
Execution of Arbitrary Code:
Embedded scripts within XSL files can execute arbitrary commands, leading to unauthorized access, data exfiltration, or additional malware deployment.
Persistence and Long-term Compromise:
Attackers using this technique can establish persistent footholds within networks, complicating remediation efforts.
Data Exfiltration and Espionage:
Malicious scripts can facilitate data theft, intellectual property breaches, or espionage activities.
Increased Attack Surface:
Overlooking this technique enables attackers to exploit trusted utilities, expanding their operational capabilities and reducing detection opportunities.
Examples
Real-world examples of XSL Script Processing observed in attacks include:
FIN7 Attack Group:
FIN7 (also known as Carbanak) utilized malicious XSL files processed by
wmic.exeto execute payloads during targeted attacks against financial institutions.Attackers used commands similar to:
Impact: Data theft, financial fraud, and persistent network compromise.
APT32 (OceanLotus):
OceanLotus leveraged XSL script processing as part of their attack chain to evade detection and execute malicious payloads.
Malicious XSL files contained embedded JavaScript to download and execute backdoor payloads.
Impact: Espionage, data exfiltration, persistent access to sensitive networks.
Operation Cobalt Kitty:
Attackers utilized XSL script processing as a method to execute payloads and maintain persistence within targeted organizations.
Malicious XSL scripts were used in conjunction with legitimate Windows utilities, complicating detection and remediation.
Impact: Persistent compromise, data theft, and espionage activities.
These examples highlight the versatility and effectiveness of XSL Script Processing as a technique used by sophisticated threat actors to achieve their objectives.
Last updated
Was this helpful?