LOLBAS/yml/OtherMSBinaries/vstest.console.yml

---
Name: vstest.console.exe
Description: VSTest.Console.exe is the command-line tool to run tests
Author: Onat Uzunyayla
Created: 2023-09-08
Commands:
  - Command: vstest.console.exe testcode.dll
    Description: VSTest functionality may allow an adversary to executes their malware by wrapping it as a test method then build it to a .exe or .dll file to be later run by vstest.console.exe. This may both allow AWL bypass or defense bypass in general
    Usecase: Proxy Execution and AWL bypass, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe
    Category: AWL Bypass
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows 10, Windows 11
Full_Path:
  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
Code_Sample:
  - Code: https://github.com/onatuzunyayla/vstest-lolbin-example/
Detection:
  - IOC: vstest.console.exe spawning unexpected processes
Resources:
  - Link: https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022
Acknowledgement:
  - Person: Onat Uzunyayla
  - Person: Ayberk Halac
Create vstest.console.exe (#322) * vstest.console.exe awl bypass * Create testwindowremoteagent.yaml Data Exfiltration with TestWindowRemoteAgent.exe is added * Create vstest.yaml In order to utilize this, you have to create a Unit Test project for c++ preferrably (because it builds into a single DLL easily) and write your malicious code inside the test method then build it. the main function will not run any code at all but when you call vstest.console to run your unit tests it also performs the other code inside the test method so you can run your code without directly running exe or dll * Delete testwindowremoteagent.yaml * Update vstest.yaml A new description added 2023-10-18 17:28:04 +02:00			`---`
			`Name: vstest.console.exe`
			`Description: VSTest.Console.exe is the command-line tool to run tests`
			`Author: Onat Uzunyayla`
Fixing yml files with .yaml extension (#338) 2023-10-19 18:17:15 +02:00			`Created: 2023-09-08`
Create vstest.console.exe (#322) * vstest.console.exe awl bypass * Create testwindowremoteagent.yaml Data Exfiltration with TestWindowRemoteAgent.exe is added * Create vstest.yaml In order to utilize this, you have to create a Unit Test project for c++ preferrably (because it builds into a single DLL easily) and write your malicious code inside the test method then build it. the main function will not run any code at all but when you call vstest.console to run your unit tests it also performs the other code inside the test method so you can run your code without directly running exe or dll * Delete testwindowremoteagent.yaml * Update vstest.yaml A new description added 2023-10-18 17:28:04 +02:00			`Commands:`
			`- Command: vstest.console.exe testcode.dll`
			`Description: VSTest functionality may allow an adversary to executes their malware by wrapping it as a test method then build it to a .exe or .dll file to be later run by vstest.console.exe. This may both allow AWL bypass or defense bypass in general`
			`Usecase: Proxy Execution and AWL bypass, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe`
			`Category: AWL Bypass`
			`Privileges: User`
			`MitreID: T1127`
			`OperatingSystem: Windows 10, Windows 11`
			`Full_Path:`
			`- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe`
			`- Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe`
			`Code_Sample:`
			`- Code: https://github.com/onatuzunyayla/vstest-lolbin-example/`
			`Detection:`
			`- IOC: vstest.console.exe spawning unexpected processes`
			`Resources:`
			`- Link: https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022`
			`Acknowledgement:`
			`- Person: Onat Uzunyayla`
Fixing yml files with .yaml extension (#338) 2023-10-19 18:17:15 +02:00			`- Person: Ayberk Halac`