cjm00n / evilsln Goto Github PK

https://github.com/JosiahAlm/VSRCE

Hey, this is a great piece of work, I've been wondering how long it'd be before someone realises all the attack surface for deserialization in VS Projects, just one small critique, you seem to imply that the latest NK attacks using GetSymbol were using this backdoored Visual Studio project method, they were not, you seem to reference the events in 2021 but then link to the 2023 article, just may be worth clarifying so it doesn't cause more people to freak out :)

It also may be worth noting that running strings on the .suo file is enough to see the reference to the vulnerable objects and so it can pretty easily be checked across an estate if any threat hunters etc are concerned.

As a funny anecdote a friend of mine compiled the GetSymbol project and I was helping him with IR and I noticed the .vs folder and the .suo which lead me to discovering this bug by accident as well as a few others in deserialization that I think you hint at in the readme :)

I have the impression that the command to be executed in the payload can only contain 11 characters, can you confirm this?