mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 06:45:41 +02:00 
			
		
		
		
	Create vstest.console.exe (#322)
* vstest.console.exe awl bypass * Create testwindowremoteagent.yaml Data Exfiltration with TestWindowRemoteAgent.exe is added * Create vstest.yaml In order to utilize this, you have to create a Unit Test project for c++ preferrably (because it builds into a single DLL easily) and write your malicious code inside the test method then build it. the main function will not run any code at all but when you call vstest.console to run your unit tests it also performs the other code inside the test method so you can run your code without directly running exe or dll * Delete testwindowremoteagent.yaml * Update vstest.yaml A new description added
This commit is contained in:
		
							
								
								
									
										25
									
								
								yml/OtherMSBinaries/vstest.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								yml/OtherMSBinaries/vstest.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| --- | ||||
| Name: vstest.console.exe | ||||
| Description: VSTest.Console.exe is the command-line tool to run tests | ||||
| Author: Onat Uzunyayla | ||||
| Created: 2023-09-08  | ||||
| Commands: | ||||
|   - Command: vstest.console.exe testcode.dll | ||||
|     Description: VSTest functionality may allow an adversary to executes their malware by wrapping it as a test method then build it to a .exe or .dll file to be later run by vstest.console.exe. This may both allow AWL bypass or defense bypass in general | ||||
|     Usecase: Proxy Execution and AWL bypass, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     OperatingSystem: Windows 10, Windows 11 | ||||
| Full_Path: | ||||
|   - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe | ||||
|   - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe | ||||
| Code_Sample: | ||||
|   - Code: https://github.com/onatuzunyayla/vstest-lolbin-example/ | ||||
| Detection: | ||||
|   - IOC: vstest.console.exe spawning unexpected processes | ||||
| Resources: | ||||
|   - Link: https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022 | ||||
| Acknowledgement: | ||||
|   - Person: Onat Uzunyayla | ||||
|   - Person: Ayberk Halac | ||||
		Reference in New Issue
	
	Block a user