System Binary Proxy Execution: Msiexec

Created the Saturday 04 March 2023. Updated 6 months, 3 weeks ago.

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). The Msiexec.exe binary may also be digitally signed by Microsoft.

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.

Technique Identifier

T1218.007

Technique Tags

Defense Evasion malicious installation packages (.msi) malicious DLLs bypass application control solutions privilege escalation AlwaysInstallElevated

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

System Binary Proxy Execution: Msiexec, Sub-technique T1218.007 - Enterprise | MITRE ATT&CK®