{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/com-interface/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Excel","PowerPoint","Word"],"_cs_severities":["medium"],"_cs_tags":["xsl-script","com-interface","office-macro"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging the Microsoft.XMLDOM COM interface in Microsoft Office applications to execute malicious scripts. This technique involves embedding malicious JScript or VBScript within XSL transformations, which are then processed by Office applications like Word, Excel, PowerPoint, and Publisher. The exploitation begins when a user opens a specially crafted document. This campaign abuses legitimate functionalities for malicious purposes. This technique can be used for initial access, defense evasion, and execution of arbitrary code. The observed behavior includes the loading of \u003ccode\u003emsxml3.dll\u003c/code\u003e and the spawning of child processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a phishing email containing a malicious Office document.\u003c/li\u003e\n\u003cli\u003eThe user opens the document in Microsoft Word (winword.exe), Excel (excel.exe), PowerPoint (powerpnt.exe), or Publisher (mspub.exe).\u003c/li\u003e\n\u003cli\u003eThe Office application loads \u003ccode\u003emsxml3.dll\u003c/code\u003e to process XML content within the document.\u003c/li\u003e\n\u003cli\u003eThe document contains an embedded XSL script with malicious JScript or VBScript code.\u003c/li\u003e\n\u003cli\u003eThe XSL transformation is initiated, executing the embedded script via the COM interface.\u003c/li\u003e\n\u003cli\u003eThe script spawns a new process (cmd.exe, powershell.exe, or mshta.exe) to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe spawned process downloads and executes a payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence, escalates privileges, and performs malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, potentially compromising sensitive data and allowing attackers to gain initial access to the targeted system. This can result in data breaches, financial losses, and reputational damage. The scope of impact includes any Windows systems running vulnerable versions of Microsoft Office. If successful, the attacker can achieve persistence, perform lateral movement and compromise other systems on the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;XSL Script Execution via COM\u0026rdquo; to your SIEM to detect the execution of hosted XSL scripts using the Microsoft.XMLDOM COM interface.\u003c/li\u003e\n\u003cli\u003eMonitor for the loading of \u003ccode\u003emsxml3.dll\u003c/code\u003e by Microsoft Office applications and subsequent process creations to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized scripts and executables, particularly those not located in standard directories.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unusual or unsigned child processes spawned by Microsoft Office applications to prevent malicious script execution.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening suspicious attachments or clicking on links in phishing emails (T1566).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:22:00Z","date_published":"2024-01-26T18:22:00Z","id":"/briefs/2024-01-xsl-script-execution-via-com/","summary":"Adversaries may exploit Microsoft Office applications to execute malicious JScript or VBScript by leveraging the Microsoft.XMLDOM COM interface to process and transform XML documents using XSL scripts, potentially leading to initial access or defense evasion.","title":"XSL Script Execution via COM Interface in Microsoft Office","url":"https://feed.craftedsignal.io/briefs/2024-01-xsl-script-execution-via-com/"}],"language":"en","title":"CraftedSignal Threat Feed — Com-Interface","version":"https://jsonfeed.org/version/1.1"}