Adding app-ctrl bypass bins and a few lolscripts

2025-07-27 12:42:19 +02:00 · 2021-09-26 23:31:30 -04:00
parent c48a5ea1ea
commit b5357cdec0
8 changed files with 229 additions and 0 deletions
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@@ -20,6 +20,14 @@ Commands:
    MitreID: T1127
    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: msbuild.exe project.proj
+    Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
+    Usecase: Execute project file that contains XslTransformation tag parameters
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10    
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
@@ -27,6 +35,7 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
+  - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
 Code_Sample: 
 - Code:
 Detection:
@@ -36,9 +45,12 @@ Resources:
  - Link: https://github.com/Cn33liz/MSBuildShell
  - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
  - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+  - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
  - Person: Cn33liz
    Handle: '@Cneelis'
+  - Person: Jimmy
+    Handle: '@bohops'
 ---