.. /vstest.console.exe
Star

AWL bypass

VSTest.Console.exe is the command-line tool to run tests

Paths:

C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe

Resources:

https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022

Acknowledgements:

Onat Uzunyayla
Ayberk Halac

Detection:

IOC: vstest.console.exe spawning unexpected processes

AWL bypass

VSTest functionality may allow an adversary to executes their malware by wrapping it as a test method then build it to a .exe or .dll file to be later run by vstest.console.exe. This may both allow AWL bypass or defense bypass in general

vstest.console.exe testcode.dll

Usecase: Proxy Execution and AWL bypass, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1127

.. /vstest.console.exe Star

AWL bypass

.. /vstest.console.exe
Star