WMI + MSI Lateral Movement
WMI lateral movement with .msi packages
Execution
Generating malicious payload in MSI (Microsoft Installer Package):
attacker@local
I tried executing the .msi payload like so, but got a return code 1619
and a quick search on google returned nothing useful:
attacker@remote
I had to revert to a filthy way of achieving the goal:
attacker@remote
Additionally, the same could of be achieved using powershell cmdlets:
attacker@remote
Get a prompt for credentials:
and enjoy the code execution:
Or if no GUI is available for credentials, a oneliner:
attacker@remote
Observations
Note the process ancestry: services > msiexec.exe > .tmp > cmd.exe
:
and that the connection is initiated by the .tmp file (I ran another test, hence another file name):
References
Last updated