diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 23c30d8b..9468d0fc 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -38716,12 +38716,10 @@ defense-evasion: atomic_tests: - name: MSXSL Bypass using local files auto_generated_guid: ca23bfb2-023f-49c5-8802-e66997de462d - description: 'Executes the code specified within a XSL script tag during XSL - transformation using a local payload. Requires download of MSXSL from Microsoft - at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe - when test sucessfully executed, while AV turned off. - -' + description: "Executes the code specified within a XSL script tag during XSL + transformation using a local payload. \nRequires download of MSXSL from Microsoft + (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 + ). \nOpen Calculator.exe when test sucessfully executed, while AV turned off.\n" supported_platforms: - windows input_arguments: @@ -38753,6 +38751,16 @@ defense-evasion: get_prereq_command: | New-Item -Type Directory (split-path #{xslfile}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" + - description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe}) + +' + prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} + +' + get_prereq_command: | + Invoke-WebRequest "https://web.archive.org/web/20200803205229/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "$env:TEMP\msxsl.exe" + Copy-Item $env:TEMP\msxsl.exe #{msxsl_exe} -Force + Remove-Item $env:TEMP\msxsl.exe executor: command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md index 298493f8..d55292c8 100644 --- a/atomics/T1220/T1220.md +++ b/atomics/T1220/T1220.md @@ -31,7 +31,9 @@ Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)
## Atomic Test #1 - MSXSL Bypass using local files -Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off. +Executes the code specified within a XSL script tag during XSL transformation using a local payload. +Requires download of MSXSL from Microsoft (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ). +Open Calculator.exe when test sucessfully executed, while AV turned off. **Supported Platforms:** Windows @@ -80,6 +82,17 @@ if (Test-Path #{xslfile}) {exit 0} else {exit 1} New-Item -Type Directory (split-path #{xslfile}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" ``` +##### Description: msxsl.exe must exist on disk at specified location (#{msxsl_exe}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://web.archive.org/web/20200803205229/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "$env:TEMP\msxsl.exe" +Copy-Item $env:TEMP\msxsl.exe #{msxsl_exe} -Force +Remove-Item $env:TEMP\msxsl.exe +```