DET0205: Detect XSL Script Abuse via msxsl and wmic
This detection strategy matters because it points defenders at a Windows stealth behavior where XSL files can carry embedded script and be processed throug...
Analyst context for executives and security teams
This detection strategy matters because it points defenders at a Windows stealth behavior where XSL files can carry embedded script and be processed through tools such as msxsl or wmic. For leaders, the business issue is not the file format itself; it is whether application control, endpoint monitoring, and SOC triage can recognize trusted or administrative tooling being used to obscure code execution.
Executive priority
Prioritize this as a resilience and control-validation question: can the organization prove it monitors unusual XSL script processing on Windows, especially where trusted utilities may bypass or weaken application-control assumptions? Security leaders should ask whether endpoint telemetry, command-line logging, and incident response playbooks can distinguish legitimate XML/XSL processing from suspicious execution patterns without relying only on blocklists.
Technical view
DET0205 is a detection strategy for T1220, XSL Script Processing, associated with the enterprise domain and the stealth tactic. Because the ATT&CK object does not provide official detection logic, SOC and detection teams should validate coverage around Windows execution involving msxsl and wmic, XSL file handling, embedded script indicators, and unusual parent-child process relationships. Triage should focus on context: who launched the tool, from where, with what command-line arguments, what XSL/XML content was referenced, and what follow-on processes or file/network activity occurred.
Likely telemetry
- Windows endpoint process creation events with full command-line arguments
- Parent-child process relationships for msxsl, wmic, and follow-on processes
- File creation, modification, or access events involving XSL/XML content
- Endpoint security or EDR events related to script execution and trusted utility abuse
- Application control allow/deny events where available
Detection direction
- Validate whether telemetry captures command lines and parent-child process context for msxsl and wmic on Windows systems.
- Hunt for XSL processing that leads to unexpected process creation, script execution, or access to unusual file paths.
- Tune detections with environment context because legitimate XML/XSL workflows and administrative WMI usage may create false positives.
- Correlate suspicious XSL processing with application-control events to identify potential bypass or policy gaps.
- Use the relationship to T1220 as the detection anchor; avoid assuming broader platform coverage because the detection-strategy object itself does not specify platforms or detection logic.
Mitigation priorities
- Confirm application-control policy treatment of XSL processing utilities and administrative tools used in the environment.
- Restrict unnecessary use of trusted utilities where business workflows do not require them.
- Ensure endpoint logging captures process command lines, parent-child relationships, and file context needed for investigation.
- Document approved XML/XSL processing workflows so SOC teams can tune detections and identify outliers.
- Prepare IR guidance for collecting referenced XSL/XML files, execution context, and follow-on activity when suspicious use is observed.
Analyst notes and limits
The strongest source-backed context is the relationship to T1220, which describes adversary abuse of embedded scripts in XSL files to obscure execution and potentially bypass application control. The detection-strategy name specifically references msxsl and wmic, so defensive validation should center on those tools while remaining dependent on local baselines.
The ATT&CK detection-strategy object has no official description, no official detection text, no specified platforms, and no tactics of its own. Windows and stealth context come from the related T1220 technique. Local telemetry, approved software usage, and business workflows are required to determine actual detection quality and risk.
Detect XSL Script Abuse via msxsl and wmic
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1220 | XSL Script Processing | This object detects XSL Script Processing. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 368882325751… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0205Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.