T1218.005 - msxsl + typeperf Execution - EDR Detection (PowerQuery)
PowerQuery-based EDR detection for LOLBin abuse via msxsl.exe and typeperf.exe process creation from non-standard paths.
Properties
| Property | Value |
|---|---|
| Platform | EDR |
| Query Language | PowerQuery |
| MITRE TTP | T1218.005 |
| Detection Stage | Behavioral |
| Status | Verified |
| Related TTPs | T1218.005 – msxsl.exe & typeperf.exe – LOLBin Code Execution |
| Related IOCs | Linked IOC records |
| Related Playbook | T1218.005 – msxsl / typeperf Execution Response Playbook |
Query
filter(
event.type == "Process Creation" and
(
(src.process.name == "msxsl.exe" and src.process.image.path contains "AppData\\Roaming\\Microsoft\\Network")
or
(src.process.name == "typeperf.exe" and src.process.cmdline contains_all("\\System\\Processor Queue Length","-si","-sc"))
)
)
| columns event.time, agent.uuid, src.process.user, src.process.name, src.process.cmdline, src.process.parent.name, src.process.image.path
| sort - event.time
Hunting Logic:
- Combine process telemetry from
msxsl.exeandtypeperf.exewith DNS/HTTP telemetry. - Alert when
typeperf.exeexecutes with abnormal parent and command line.