Windows
msxsl.exemsxsl.exe
Platform
Windows
Abuse functions
6
Mapped techniques
3
Description
msxsl.exe is a Windows living-off-the-land binary catalogued by the LOLBAS Project. Documented abuse functions: Execute, AWL Bypass, Download, ADS. Mapped ATT&CK techniques (per LOLBAS / GTFOBins → MITRE crosswalk): T1105, T1218, T1564.004. Defenders should monitor execution of msxsl.exe under non-administrative or sudo contexts and alert when its arguments match the abuse-function signatures.
Abuse functions· 6
ExecuteT1220
Local execution of script stored in XSL file.
AWL BypassT1220
Local execution of script stored in XSL file.
ExecuteT1220
Local execution of remote script stored in XSL script stored as an XML file.
AWL BypassT1220
Local execution of remote script stored in XSL script stored as an XML file.
DownloadT1105
Download a file from the internet and save it to disk.
ADST1564
Download a file from the internet and save it to an NTFS Alternate Data Stream.
MITRE ATT&CK techniques· 3
Uses3
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Technique | XSL Script Processingt1220 | 100% | live |
| Technique | Ingress Tool Transfert1105 | 100% | live |
| Technique | Hide Artifactst1564 | 100% | live |
Abuses3
| Type | Target | Confidence | Tier |
|---|---|---|---|
| SubTechnique | NTFS File Attributest1564.004 | 90% | live |
| Technique | Ingress Tool Transfert1105 | 85% | live |
| Technique | System Binary Proxy Executiont1218 | 85% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.