https://connar.github.io/tags/wt.exe/Recent content in Wt.exe on Journal of ConnarHugo -- 0.147.3en-ushttps://connar.github.io/posts/weaponizing-windows-terminal-app/Mon, 01 Jan 0001 00:00:00 +0000https://connar.github.io/posts/weaponizing-windows-terminal-app/<h2 id="execution-and-persistence-via-the-windows-terminal-app">Execution and persistence via the windows terminal app</h2> <h3 id="intro">Intro</h3> <p>We have seen cases in the past where threat actors target dev environments and config files to achieve stealthy execution and persistence. Because these files are trusted by the host applications and often ignored by traditional antivirus, they offer a good place to hide malicious actions.</p> <p>An example of this is the weaponization of project files, such as <code>.csproj</code> files in <a href="https://www.outflank.nl/blog/2023/03/28/attacking-visual-studio-for-initial-access/">visual studio projects</a>. In the past, visual studio code was used for initial access, where attackers embedded malicious MSBuild targets inside <code>.csproj</code> files. When a developer opens or builds the project, visual studio automatically parsed these configurations and executed the hidden commands. The developer believes they are compiling code, but in reality the project file itself is acting as a dropper.</p>