Application Whitelisting Bypass with WMIC and XSL
Another application whitelist bypassing technique discovered by Casey @subTee, similar to squiblydoo:
regsvr32Execution
Define the XSL file containing the jscript payload:
evil.xsl
Invoke any wmic command now and specify /format pointing to the evil.xsl:
attacker@victim
Observation
Calculator is spawned by svchost.exe:
References
Last updated