Windows Installer file format – .MSI – exhibits capabilities that might be interesting from an offensive perspective. Somewhat hardly explored or discussed, they could be used to circumvent modern cyber defenses and existing threat intelligence rulesets. Knowledge of how Red Teams abuse that format for gaining initial foothold in tougher environments was kept secret to avoid unnecessarily giving away TTPs.
However since Threat Actors started knocking to this door as well, I concluded its finally time to disclose underlying MSI installation format sorcery and let security vendors, defensive community, detection engineers & malware researchers focus on addressing threats posed by them. Some EDRs still don’t seem to support MOTW which could be used to prevent MSI’s execution, as demonstrated by MS Defender for Endpoint’s SmartScreen.
This article opens a serie discussing offensive features presented by MSI Windows Installer file format.
Part 1 discusses the format’s structure, walks through procedures for building it, discusses various viable weaponization scenarios and explains how to dissect MSI specimens + introduces my tool for quickly triaging them (msidump).
Part 2 will tell the untold story of backdooring existing MSIs.
As a closure, Part 3 shall focus on how Red Teams can incorporate MSIs into their engagement Initial Access stages, elaborate a bit on different ways packages can be installed as well as review impact of security countermeasures that could disrupt them.
Threat Actors and malware developers need to protect their intellectual property just as much as benign software vendors. Every Cybersecurity professional who worked with malware samples will also know, that such a protection employed helps adversaries morph/mutate how their malicious artifacts look & feel under the hood, eventually evading signatured detection.
Executable protectors, obfuscators, encoders, packers/compressors, virtualizers – are all specialized software attempting to manipulate input artifacts, producing output with often altered code layout and contents. Sometimes for file size reduction purposes, other time to fend off reverse engineers aiming to disclose their technology & implementation details.
Looks like its my first blog post, yay! What is it that I should write about to begin that journey? Have no clue really, but also it just happens I had a great pleasure of presenting at todays (25/06/2022) @WarConPL conference.
The conference full of Exploit Development geeks, Vulnerablity Research wizards and other sort of hardcore experts…. and me with that kinda out of place Red Teaming stuff slide deck 🤩
These were my initial thoughts at least, before I started talking. Having finished my presentation turned out many folks in there did their share in Adversary Simulation – and to my surprise – approached me to express how they’ve enjoyed my talk, came to start up cool discussions, shared ideas for awesome new TTPs.
Also, I’ve been asked at numerous occassions whether my slides are going to be shared anywhere. Since I promised, therefore I deliver:
WarCon22 – Modern Initial Access and Evasion Tactics.pdf
Let me know in comments and on Twitter what you think!