.. /vstest.console.exe
Star

AWL bypass (DLL)

VSTest.Console.exe is the command-line tool to run tests

Paths:

Resources:

Acknowledgements:

Detections:

AWL bypass

  1. VSTest functionality may allow an adversary to executes their malware by wrapping it as a test method then build it to a .exe or .dll file to be later run by vstest.console.exe. This may both allow AWL bypass or defense bypass in general

    vstest.console.exe {PATH:.dll}
    Use case
    Proxy Execution and AWL bypass, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe
    Privileges required
    User
    Operating systems
    Windows 10, Windows 11
    ATT&CK® technique
    T1127
    Tags
    Execute: DLL