Skip to content
Threat Feed
low advisory

MsXsl.exe Network Connection for Defense Evasion

Msxsl.exe, a legitimate Windows utility, is being abused by adversaries to make network connections to non-local IPs for command and control or data exfiltration, potentially bypassing security measures.

MsXsl.exe is a Windows utility designed to transform XML data using XSLT stylesheets. Adversaries are known to abuse this utility to execute malicious scripts, bypassing application control and other security measures. This behavior is often used as a defense evasion technique to download or execute malicious payloads. This activity has been observed since at least March 2020. The abuse of msxsl.exe allows attackers to establish command and control or exfiltrate sensitive data without being easily detected, as the tool is a signed Microsoft binary. This matters for defenders because it highlights the need to monitor legitimate system utilities for anomalous behavior, specifically network connections to external IP addresses.

Attack Chain

  1. An attacker gains initial access to a Windows system through unspecified means.
  2. The attacker leverages msxsl.exe to execute a malicious script.
  3. Msxsl.exe initiates a network connection to an external IP address.
  4. The script downloads a malicious payload from the external server.
  5. The downloaded payload is executed on the compromised system.
  6. The attacker establishes a command and control channel through the network connection.
  7. The attacker performs data exfiltration via the established C2 channel.

Impact

Compromised systems can be used for further malicious activities, including data theft, lateral movement, and deployment of additional malware. Successful exploitation can lead to sensitive data exfiltration, disruption of services, or complete system compromise. The low risk score does not represent impact, but instead reflects that the behavior is not always malicious, and may be a feature of normal software operation.

Recommendation

  • Enable Sysmon network connection logging to monitor msxsl.exe network activity.
  • Deploy the Sigma rule “Network Connection via MsXsl” to your SIEM and tune for your environment to detect suspicious network connections originating from msxsl.exe.
  • Investigate any alerts generated by the Sigma rule, focusing on the destination IP address and the parent process of msxsl.exe.
  • Whitelist legitimate uses of msxsl.exe in your environment based on known good processes or applications to reduce false positives.

Detection coverage 2

Network Connection via MsXsl

low

Detects msxsl.exe making a network connection to a non-private IP address, which may indicate malicious activity.

sigma tactics: command_and_control, defense_evasion techniques: T1105, T1220 sources: network_connection, windows

MsXsl Process Start

low

Detects the execution of msxsl.exe process creation, which could indicate adversarial activity.

sigma tactics: defense_evasion techniques: T1220 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →