{"id":9796,"date":"2025-01-01T00:09:30","date_gmt":"2025-01-01T00:09:30","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9796"},"modified":"2025-01-01T00:34:26","modified_gmt":"2025-01-01T00:34:26","slug":"smuggling-payloads-and-tools-in-using-wim-images-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/01\/01\/smuggling-payloads-and-tools-in-using-wim-images-part-2\/","title":{"rendered":"Smuggling payloads and tools in, using WIM images, Part 2"},"content":{"rendered":"\n<p>In this post we explore the <em>dism.exe<\/em> and WIM <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/12\/28\/wimmountdata-ads\/\" data-type=\"post\" data-id=\"9767\">images<\/a> <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/12\/31\/smuggling-payloads-and-tools-in-using-wim-images\/\" data-type=\"post\" data-id=\"9781\">a bit<\/a> more. <\/p>\n\n\n\n<p>It turns out that WIM files are containers that can include more than one image. One can create the first image using the \/Capture-Image option, and then append new images to the same WIM file using the \/Append-Image command line argument.<\/p>\n\n\n\n<p>In a test scenario, I created 3 subfolders containing:<\/p>\n\n\n\n<ul>\n<li>Image1 &#8211; Sysmon<\/li>\n\n\n\n<li>Image2 &#8211; Eicar<\/li>\n\n\n\n<li>Image3 &#8211; Mimikatz<\/li>\n<\/ul>\n\n\n\n<p>I then created a multi-image <em>newtest.wim<\/em> file using the following syntax:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Dism \/Capture-Image \/ImageFile:\u201dnewtest.wim\u201d \/CaptureDir:image1_sysmon \/Name:sysmon \nDism \/Append-Image  \/ImageFile:\u201dnewtest.wim\u201d \/CaptureDir:image2_eicar \/Name:eicar \nDism \/Append-Image  \/ImageFile:\u201dnewtest.wim\u201d \/CaptureDir:image3_mimikatz \/Name:mimikatz \n<\/pre>\n\n\n\n<p>To confirm the images were added to the <em>newtest.wim<\/em> file, I ran these commands:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dism \/list-image \/imagefile:\"newtest.wim\" \/index:1\ndism \/list-image \/imagefile:\"newtest.wim\" \/index:2\ndism \/list-image \/imagefile:\"newtest.wim\" \/index:3<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/list_image.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/list_image.png\" alt=\"\" class=\"wp-image-9797\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/list_image.png 575w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/list_image-300x289.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/list_image-311x300.png 311w\" sizes=\"(max-width: 575px) 100vw, 575px\" \/><\/a><\/figure>\n\n\n\n<p>I was a bit surprised the ADSs were not listed.<\/p>\n\n\n\n<p>Luckily, 7z lists a bit more information:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_7z_list_files.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_7z_list_files.png\" alt=\"\" class=\"wp-image-9798\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_7z_list_files.png 655w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_7z_list_files-264x300.png 264w\" sizes=\"(max-width: 655px) 100vw, 655px\" \/><\/a><\/figure>\n\n\n\n<p>The content of <em>[1].xml<\/em> is forensically interesting:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;WIM&gt;\n &lt;TOTALBYTES&gt;2122196&lt;\/TOTALBYTES&gt;\n\n &lt;IMAGE INDEX=\"1\"&gt;\n  &lt;DIRCOUNT&gt;0&lt;\/DIRCOUNT&gt;\n  &lt;FILECOUNT&gt;1&lt;\/FILECOUNT&gt;\n  &lt;TOTALBYTES&gt;4563248&lt;\/TOTALBYTES&gt;\n  &lt;HARDLINKBYTES&gt;0&lt;\/HARDLINKBYTES&gt;\n  &lt;CREATIONTIME&gt;\n   &lt;HIGHPART&gt;0x01DB5BD0&lt;\/HIGHPART&gt;\n   &lt;LOWPART&gt;0x5FAF914D&lt;\/LOWPART&gt;\n  &lt;\/CREATIONTIME&gt;\n  &lt;LASTMODIFICATIONTIME&gt;\n   &lt;HIGHPART&gt;0x01DB5BD0&lt;\/HIGHPART&gt;\n   &lt;LOWPART&gt;0x5FB40FD8&lt;\/LOWPART&gt;\n  &lt;\/LASTMODIFICATIONTIME&gt;\n  &lt;WIMBOOT&gt;0&lt;\/WIMBOOT&gt;\n  &lt;NAME&gt;sysmon&lt;\/NAME&gt;\n &lt;\/IMAGE&gt;\n \n &lt;IMAGE INDEX=\"2\"&gt;\n  &lt;DIRCOUNT&gt;0&lt;\/DIRCOUNT&gt;\n  &lt;FILECOUNT&gt;1&lt;\/FILECOUNT&gt;\n  &lt;TOTALBYTES&gt;68&lt;\/TOTALBYTES&gt;\n  &lt;HARDLINKBYTES&gt;0&lt;\/HARDLINKBYTES&gt;\n  &lt;CREATIONTIME&gt;\n   &lt;HIGHPART&gt;0x01DB5BD0&lt;\/HIGHPART&gt;\n   &lt;LOWPART&gt;0x6DB1F772&lt;\/LOWPART&gt;\n  &lt;\/CREATIONTIME&gt;\n  &lt;LASTMODIFICATIONTIME&gt;\n   &lt;HIGHPART&gt;0x01DB5BD0&lt;\/HIGHPART&gt;\n   &lt;LOWPART&gt;0x6DB6281B&lt;\/LOWPART&gt;\n  &lt;\/LASTMODIFICATIONTIME&gt;\n  &lt;WIMBOOT&gt;0&lt;\/WIMBOOT&gt;\n  &lt;NAME&gt;eicar&lt;\/NAME&gt;\n &lt;\/IMAGE&gt;\n\n &lt;IMAGE INDEX=\"3\"&gt;\n  &lt;DIRCOUNT&gt;0&lt;\/DIRCOUNT&gt;\n  &lt;FILECOUNT&gt;4&lt;\/FILECOUNT&gt;\n  &lt;TOTALBYTES&gt;1440600&lt;\/TOTALBYTES&gt;\n  &lt;HARDLINKBYTES&gt;0&lt;\/HARDLINKBYTES&gt;\n  &lt;CREATIONTIME&gt;\n   &lt;HIGHPART&gt;0x01DB5BD0&lt;\/HIGHPART&gt;\n   &lt;LOWPART&gt;0x6FE89BE7&lt;\/LOWPART&gt;\n  &lt;\/CREATIONTIME&gt;\n  &lt;LASTMODIFICATIONTIME&gt;\n   &lt;HIGHPART&gt;0x01DB5BD0&lt;\/HIGHPART&gt;\n   &lt;LOWPART&gt;0x6FEDA2E8&lt;\/LOWPART&gt;\n  &lt;\/LASTMODIFICATIONTIME&gt;\n  &lt;WIMBOOT&gt;0&lt;\/WIMBOOT&gt;\n  &lt;NAME&gt;mimikatz&lt;\/NAME&gt;\n &lt;\/IMAGE&gt;\n&lt;\/WIM&gt;<\/pre>\n\n\n\n<p>I was also curious how the file will be &#8216;seen&#8217; by VT, so I submitted it <a href=\"https:\/\/www.virustotal.com\/gui\/file\/2dbeac07a022fff3a6bdcb2de0801e6d120c8123b27d43d183f03c6c42c1d01b\">here<\/a>. To my surprise, we got multiple different detections, hitting on different internal images &#8211; either Eicar or Mimikatz (I was hoping that my first image, sysmon, will help to bypass most of the scans &#8211; I was wrong):<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_multiple_images_vt_test.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_multiple_images_vt_test-1024x291.png\" alt=\"\" class=\"wp-image-9799\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_multiple_images_vt_test-1024x291.png 1024w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_multiple_images_vt_test-300x85.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_multiple_images_vt_test-768x219.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_multiple_images_vt_test-500x142.png 500w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/wim_multiple_images_vt_test.png 1195w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Coming back to the newly created file, <em>newtest.wim<\/em>, it&#8217;s important to mention that apart from the multiple images it can host, it can also be split into smaller chunks (same as 7z, zip, or rar archives).<\/p>\n\n\n\n<p>Running the following command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dism \/split-image \/imagefile:\"newtest.wim\" \/SWMFile:\"newtest.swm\" \/FileSize:1<\/pre>\n\n\n\n<p>will split our <em>newtest.wim<\/em> file into 3 swm files:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">    4,435 newtest.swm\n1,417,386 newtest2.swm\n  704,883 newtest3.swm\n    2,126,704 bytes<\/pre>\n\n\n\n<p>I am not sure I follow how the 1M boundary I asked for led to creation of these 3 files with file sizes looking quite random, but one way or another, an ability to split a WIM file into SWM file chunks may come handy.<\/p>\n\n\n\n<p>They certainly come handy when it comes to bypassing VT detections:<\/p>\n\n\n\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/file\/11234fe904c17815913cd040b97269ce841255f42f45c96d14996a29d581bd1c\">newtest.swm<\/a> &#8211; 0<\/li>\n\n\n\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/file\/2de82e10cc8e413ebb0c1d002e20d95b8992ae63d9f95d1e210e953c1dbfe76d\">newtest2.swm<\/a> &#8211; 0<\/li>\n\n\n\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/file\/48a0d9526ebce6ec07b1b60c20e3fbf470b69a9274ec0ae2bc059a37ca002610\">newtest3.swm<\/a> &#8211; &#8230; or&#8230; not&#8230; yup, okay, we are still getting caught:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/swm3_vt_test.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/swm3_vt_test-1024x293.png\" alt=\"\" class=\"wp-image-9800\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/swm3_vt_test-1024x293.png 1024w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/swm3_vt_test-300x86.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/swm3_vt_test-768x220.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/swm3_vt_test-500x143.png 500w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/swm3_vt_test.png 1191w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>The last bit I want to quickly cover here is the \/EA command line argument that we can use during image creation (\/Capture-Image). The default behavior for the \/Capture-Image is to collect both files, and their Alternate Data Streams, but \/EA options extends the collection to Extended Attributes as well. This enables us to &#8216;outsource&#8217; hiding data and payloads (in either ADS or EAs) to <em>dism.exe<\/em> process, as all the mounting-related, but &#8216;dodgy&#8217; file system &#8216;object creation&#8217; activities will be associated with this process only.<\/p>\n\n\n\n<p>I think <em>dism.exe<\/em> is a tool that ended up being overlooked by many of us, but I hope we will all pay more attention to it now&#8230; This Microsoft <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/manufacture\/desktop\/dism-image-management-command-line-options-s14?view=windows-11\">page<\/a> describes this tool&#8217;s command line arguments in great detail. <\/p>\n\n\n\n<p>Happy hunting!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post we explore the dism.exe and WIM images a bit more. It turns out that WIM files are containers that can include more than one image. One can create the first image using the \/Capture-Image option, and then &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2025\/01\/01\/smuggling-payloads-and-tools-in-using-wim-images-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,19],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9796"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9796"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9796\/revisions"}],"predecessor-version":[{"id":9805,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9796\/revisions\/9805"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}