Feature idea: whitelisted MSI packages auditing

[garatc]

Hello,

I have worked on a PowerShell script that lists all installed MSI packages and cross-references them with the new SecureRepair whitelist introduced by Microsoft to revert specific MSI packages to their original, insecure pre-patch state where UAC is not showing during repair. My script shows whether the package is signed, writable and has any NoImpersonate custom action, which are common privesc paths.

I am thinking that it could be a good feature for your project? Either as it is now with the registry whitelist cross-reference or on all installed MSI packages by default, so it could also be used on older systems.

Link to my project: MSIAudit

Cheers!

[itm4n]

Hi!

This looks cool. I think it's a good idea indeed. I'll have to look more closely into it.

Thanks for the suggestion.

[garatc]

That was quick!

Let me know if you want me to open a PR and implement it there directly.

[itm4n]

Thanks, no need to open a PR. I prefer to implement things myself as far as possible honestly. This way, I'm sure I understand all aspects, especially when it's a new feature. This goes without saying that I'll credit your work though.

[garatc]

FYI, I simplified the script a bit (no need to check for signature in our case - probably only useful for MST backdoors) and added a parameter to just scan all packages regardless of the whitelist (useful for older systems that do not have this whitelist)

[garatc]

Hello! I was wondering if you had any ETA regarding this (no pressure of course, just asking if you've already planned something). I still have clients running Windows 10 by the way, where vulnerable MSI packages are even easier to exploit!

[itm4n]

Since I had already worked on MSI file enumeration but "removed" the check at some point, I already had most of the code I needed to implement this feature. The only real addition is the enumeration of the "whitelist" in the registry.

I tested the implementation locally by replicating the "whitelist" conditions in my lab. It will need further testing in real conditions, though.