Skip to content

Hide Navigation Hide TOC

XSL Script Execution Via WMIC.EXE (05c36dd6-79d6-4a9a-97da-3db20298ab2d)

Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.

Cluster A Galaxy A Cluster B Galaxy B Level
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern XSL Script Execution Via WMIC.EXE (05c36dd6-79d6-4a9a-97da-3db20298ab2d) Sigma-Rules 1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern XSL Script Execution Via WMIC.EXE (05c36dd6-79d6-4a9a-97da-3db20298ab2d) Sigma-Rules 1
XSL Script Processing - T1220 (ebbe170d-aa74-4946-8511-9921243415a3) Attack Pattern XSL Script Execution Via WMIC.EXE (05c36dd6-79d6-4a9a-97da-3db20298ab2d) Sigma-Rules 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern XSL Script Execution Via WMIC.EXE (05c36dd6-79d6-4a9a-97da-3db20298ab2d) Sigma-Rules 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2