Create vstest.console.exe (#322)

* vstest.console.exe awl bypass * Create testwindowremoteagent.yaml Data Exfiltration with TestWindowRemoteAgent.exe is added * Create vstest.yaml In order to utilize this, you have to create a Unit Test project for c++ preferrably (because it builds into a single DLL easily) and write your malicious code inside the test method then build it. the main function will not run any code at all but when you call vstest.console to run your unit tests it also performs the other code inside the test method so you can run your code without directly running exe or dll * Delete testwindowremoteagent.yaml * Update vstest.yaml A new description added
2024-10-22 16:49:11 +02:00 · 2023-10-18 18:28:04 +03:00 · 2023-10-18 18:28:04 +03:00 · 7aba6fb550
commit 7aba6fb550
parent b13eb6f4fd
2 changed files with 49 additions and 0 deletions
--- a/yml/OSBinaries/vstest.yaml
+++ b/yml/OSBinaries/vstest.yaml
@ -0,0 +1,24 @@
+---
+Name: vstest.console.exe
+Description: VSTest.Console.exe is the command-line tool to run tests
+Author: Onat Uzunyayla
+Created: 2023-09-08 
+Commands:
+  - Command: vstest.console.exe testcode.dll
+    Description: Executes the test methods inside the crafted dll file
+    Usecase: Proxy Execution, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
+Code_Sample:
+  - Code: https://github.com/onatuzunyayla/vstest-lolbin-example/
+Detection:
+  - IOC: vstest.console.exe spawning unexpected processes
+Resources:
+  - Link: https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022
+Acknowledgement:
+  - Person: Ayberk Halac
--- a/yml/OtherMSBinaries/vstest.yaml
+++ b/yml/OtherMSBinaries/vstest.yaml
@ -0,0 +1,25 @@
+---
+Name: vstest.console.exe
+Description: VSTest.Console.exe is the command-line tool to run tests
+Author: Onat Uzunyayla
+Created: 2023-09-08 
+Commands:
+  - Command: vstest.console.exe testcode.dll
+    Description: VSTest functionality may allow an adversary to executes their malware by wrapping it as a test method then build it to a .exe or .dll file to be later run by vstest.console.exe. This may both allow AWL bypass or defense bypass in general
+    Usecase: Proxy Execution and AWL bypass, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
+Code_Sample:
+  - Code: https://github.com/onatuzunyayla/vstest-lolbin-example/
+Detection:
+  - IOC: vstest.console.exe spawning unexpected processes
+Resources:
+  - Link: https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022
+Acknowledgement:
+  - Person: Onat Uzunyayla
+  - Person: Ayberk Halac