msxsl (8cccbfed-3f78-45fd-b5d1-efe884d28f09)
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Command line utility used to perform XSL transformations.
Author: Oddvar Moe
Paths: * no default
Resources: * https://twitter.com/subTee/status/877616321747271680 * https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker * https://github.com/RonnieSalomonsen/Use-msxsl-to-download-file
Detection: * Sigma: proc_creation_win_wmic_xsl_script_processing.yml * Elastic: defense_evasion_msxsl_beacon.toml * Elastic: defense_evasion_msxsl_network.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[msxsl.exe - LOLBAS Project]
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| msxsl (8cccbfed-3f78-45fd-b5d1-efe884d28f09) | Tidal Software | Cobalt Group (58db02e6-d908-47c2-bc82-ed58ada61331) | Tidal Groups | 1 |