mgreen27 · January 8, 2024 07:26
diff --git a/MsiInstallerMetadata.yaml b/MsiInstallerMetadata.yaml
 name: Windows.System.MsiInstallerMetadata
 author: Matt Green - @mgreen27
 description: |
  This artifact allows runs VBScript through cscript.exe and calculates MSI 
  installer metadata.
  
  Not using powershell to minimise footprint, use notebook to search for metadata.
  
 required_permissions:
  - EXECVE

 precondition:
  SELECT OS From info() where OS = 'windows'

 parameters:
  - name: Script
    default: |
        On Error Resume Next
        Set objFSO = Createobject("Scripting.FileSystemObject")
        Set oFolder = objFSO.GetFolder("C:\\Windows\\Installer")
        Set objInstaller = CreateObject("WindowsInstaller.Installer") 
        For Each oFile in oFolder.Files
            If LCase(objFSO.GetExtensionName(oFile.Name)) = "msi" Then
                Set objInstaller = CreateObject("WindowsInstaller.Installer") 
                Set objProduct = objInstaller.SummaryInformation("C:\\Windows\\Installer\\" & oFile.Name)
                        
                Wscript.Echo "File name: " & oFile.Name
                Wscript.Echo "Code page: " &objProduct.Property(1)
                Wscript.Echo "Title: " & objProduct.Property(2)
                Wscript.Echo "Subject: " & objProduct.Property(3)
                Wscript.Echo "Author: " & objProduct.Property(4)
                Wscript.Echo "Keywords: " & objProduct.Property(5)
                Wscript.Echo "Comment: " & objProduct.Property(6)
                Wscript.Echo "Template: " & objProduct.Property(7)
                Wscript.Echo "Last Author: " & objProduct.Property(8)
                Wscript.Echo "Revision number: " & objProduct.Property(9)
                Wscript.Echo "Edit Time: " & objProduct.Property(10)
                Wscript.Echo "Last Printed: " & objProduct.Property(11)
                Wscript.Echo "Creation Date: " & objProduct.Property(12)
                Wscript.Echo "Last Saved: " & objProduct.Property(13)
                Wscript.Echo "Page Count: " & objProduct.Property(14)
                Wscript.Echo "Word Count: " & objProduct.Property(15)
                Wscript.Echo "Character Count: " & objProduct.Property(16)
                Wscript.Echo "Application Name: " & objProduct.Property(18)
                Wscript.Echo "Security: " & objProduct.Property(19)
                Wscript.Echo "####################"
            End If
        Next
        
 sources:
  - query: |
      LET temp_script <= tempfile(extension='.vbs', data=str(str=Script))
 
      SELECT Stdout 
      FROM execve(argv=['cscript.exe','//NoLogo','/E:vbs',temp_script], sep='####################')
	name: Windows.System.MsiInstallerMetadata
	author: Matt Green - @mgreen27
	description: \|
	This artifact allows runs VBScript through cscript.exe and calculates MSI
	installer metadata.

	Not using powershell to minimise footprint, use notebook to search for metadata.

	required_permissions:
	- EXECVE

	precondition:
	SELECT OS From info() where OS = 'windows'

	parameters:
	- name: Script
	default: \|
	On Error Resume Next
	Set objFSO = Createobject("Scripting.FileSystemObject")
	Set oFolder = objFSO.GetFolder("C:\\Windows\\Installer")
	Set objInstaller = CreateObject("WindowsInstaller.Installer")
	For Each oFile in oFolder.Files
	If LCase(objFSO.GetExtensionName(oFile.Name)) = "msi" Then
	Set objInstaller = CreateObject("WindowsInstaller.Installer")
	Set objProduct = objInstaller.SummaryInformation("C:\\Windows\\Installer\\" & oFile.Name)

	Wscript.Echo "File name: " & oFile.Name
	Wscript.Echo "Code page: " &objProduct.Property(1)
	Wscript.Echo "Title: " & objProduct.Property(2)
	Wscript.Echo "Subject: " & objProduct.Property(3)
	Wscript.Echo "Author: " & objProduct.Property(4)
	Wscript.Echo "Keywords: " & objProduct.Property(5)
	Wscript.Echo "Comment: " & objProduct.Property(6)
	Wscript.Echo "Template: " & objProduct.Property(7)
	Wscript.Echo "Last Author: " & objProduct.Property(8)
	Wscript.Echo "Revision number: " & objProduct.Property(9)
	Wscript.Echo "Edit Time: " & objProduct.Property(10)
	Wscript.Echo "Last Printed: " & objProduct.Property(11)
	Wscript.Echo "Creation Date: " & objProduct.Property(12)
	Wscript.Echo "Last Saved: " & objProduct.Property(13)
	Wscript.Echo "Page Count: " & objProduct.Property(14)
	Wscript.Echo "Word Count: " & objProduct.Property(15)
	Wscript.Echo "Character Count: " & objProduct.Property(16)
	Wscript.Echo "Application Name: " & objProduct.Property(18)
	Wscript.Echo "Security: " & objProduct.Property(19)
	Wscript.Echo "####################"
	End If
	Next

	sources:
	- query: \|
	LET temp_script <= tempfile(extension='.vbs', data=str(str=Script))

	SELECT Stdout
	FROM execve(argv=['cscript.exe','//NoLogo','/E:vbs',temp_script], sep='####################')