System Binary Proxy Execution: Msiexec (T1218.007)

Tactic: Stealth · Platforms: Windows

The interactive view maps 1 detection strategy, 2 mitigations, 6 threat groups, 23 software entries, 2 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of System Binary Proxy Execution (T1218).

Overview

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). The Msiexec.exe binary may also be digitally signed by Microsoft.

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.

Explore