From a6bf398fa81e7d5bfeeb7318a4026992fb21bb9b Mon Sep 17 00:00:00 2001
From: onatuzunyayla <onatuzunyayla@sabanciuniv.edu>
Date: Wed, 9 Aug 2023 22:27:20 +0300
Subject: [PATCH] vstest.console.exe awl bypass

---
 yml/OSBinaries/vstest.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 yml/OSBinaries/vstest.yaml

diff --git a/yml/OSBinaries/vstest.yaml b/yml/OSBinaries/vstest.yaml
new file mode 100644
index 0000000..c68373b
--- /dev/null
+++ b/yml/OSBinaries/vstest.yaml
@@ -0,0 +1,24 @@
+---
+Name: vstest.console.exe
+Description: VSTest.Console.exe is the command-line tool to run tests
+Author: Onat Uzunyayla
+Created: 2023-09-08 
+Commands:
+  - Command: vstest.console.exe testcode.dll
+    Description: Executes the test methods inside the crafted dll file
+    Usecase: Proxy Execution, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
+Code_Sample:
+  - Code: https://github.com/onatuzunyayla/vstest-lolbin-example/
+Detection:
+  - IOC: vstest.console.exe spawning unexpected processes
+Resources:
+  - Link: https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022
+Acknowledgement:
+  - Person: Ayberk Halac
\ No newline at end of file