Detections
Analytics
System Binary Proxy Execution: Msiexec
Description
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).[1] The Msiexec.exe binary may also be digitally signed by Microsoft.
Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.[2][3] Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | AlwaysInstallElevated policy Status | Plugin ID: 162174 |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Defense Evasion
Technique: System Binary Proxy Execution
Sub-Technique: Msiexec
Platform: Windows
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2024 Q1