There is a typo on line 519, instead of monitoring for .xsl file creations, the configuration is monitoring for .xls.
There is a duplicate entry on line 537 to capture .xls file creations.
Original line:
<TargetFilename condition="end with">.xls</TargetFilename><!--Microsoft [ https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75 ] -->
There is a typo on line
519, instead of monitoring for.xslfile creations, the configuration is monitoring for.xls. There is a duplicate entry on line 537 to capture.xlsfile creations.Original line:
<TargetFilename condition="end with">.xls</TargetFilename><!--Microsoft [ https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75 ] -->Updated line:
<TargetFilename condition="end with">.xsl</TargetFilename><!--Microsoft [ https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75 ] -->