https://github.com/mandiant/msi-search

https://github.com/mandiant/msi-search

Last synced: about 1 year ago
JSON representation

• Host: GitHub
• URL: https://github.com/mandiant/msi-search
• Owner: mandiant
• License: apache-2.0
• Archived: true
• Created: 2023-06-29T18:31:56.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2023-07-20T18:12:49.000Z (almost 3 years ago)
• Last Synced: 2025-03-13T12:32:07.629Z (over 1 year ago)
• Language: C
• Size: 47.9 KB
• Stars: 274
• Watchers: 5
• Forks: 29
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# MSI Search

Windows caches MSI files at `C:\Windows\Installer\` with randomized filenames consisting of letters and numbers followed by the ".msi" extension. This tool simplifies the task for red team operators and security teams to identify which MSI files correspond to which software and enables them to download the relevant file to investigate local privilege escalation vulnerabilities through MSI repairs. Read more about MSI repair vulnerabilities at [Escalating Privileges via Third-Party Windows Installers].

Author: Andrew Oliveau (@AndrewOliveau)

## Compile

```

x86_64-w64-mingw32-gcc -c msi_search.c -o msi_search.x64.o

i686-w64-mingw32-gcc -c msi_search.c -o msi_search.x86.o

```

## Usage

Aggressor script included. Import it into Cobalt Strike and run `msi_search`. Alternatively, run the PowerShell script `msi_search.ps1`.








[Escalating Privileges via Third-Party Windows Installers]: https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers