This repository contains Proof of Concept code and harmless weaponised packages representing various weaponisation strategies that Threat Actors abuse in Windows Installer MSI format.
Supplemental blog post can be found here:
Samples in this directory constitute PoCes presenting different ways to make MSI installation subsystem execute:
- EXE files
- VBScript/JScript
- .NET DLLs
- System commands
1-exe- launches MS Sysinternals Autoruns64.exe fromC:\Windows\Installer\MSXXXX.msi2-vbscript- executes VBScript that runscalcoverWscript.Shell.Execmethod3-dotnet- bundles specially crafted CustomAction .NET DLL, that when executed, runs shellcode which spawnscalc4-post-actions- simple MSI that runs system commands after installation is complete, here runscalc
This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪
Mariusz Banach / mgeeky, (@mariuszbit)
<mb [at] binary-offensive.com>