mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-29 00:08:11 +01:00
7aba6fb550
* vstest.console.exe awl bypass * Create testwindowremoteagent.yaml Data Exfiltration with TestWindowRemoteAgent.exe is added * Create vstest.yaml In order to utilize this, you have to create a Unit Test project for c++ preferrably (because it builds into a single DLL easily) and write your malicious code inside the test method then build it. the main function will not run any code at all but when you call vstest.console to run your unit tests it also performs the other code inside the test method so you can run your code without directly running exe or dll * Delete testwindowremoteagent.yaml * Update vstest.yaml A new description added
24 lines
1.1 KiB
YAML
24 lines
1.1 KiB
YAML
---
|
|
Name: vstest.console.exe
|
|
Description: VSTest.Console.exe is the command-line tool to run tests
|
|
Author: Onat Uzunyayla
|
|
Created: 2023-09-08
|
|
Commands:
|
|
- Command: vstest.console.exe testcode.dll
|
|
Description: Executes the test methods inside the crafted dll file
|
|
Usecase: Proxy Execution, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe
|
|
Category: AWL Bypass
|
|
Privileges: User
|
|
MitreID: T1127
|
|
OperatingSystem: Windows 10, Windows 11
|
|
Full_Path:
|
|
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
|
|
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
|
|
Code_Sample:
|
|
- Code: https://github.com/onatuzunyayla/vstest-lolbin-example/
|
|
Detection:
|
|
- IOC: vstest.console.exe spawning unexpected processes
|
|
Resources:
|
|
- Link: https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022
|
|
Acknowledgement:
|
|
- Person: Ayberk Halac |