Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.02 | Privileged system access | Mitigates | T1218.007 | Msiexec |
Comments
This diagnostic statement protects against Msiexec through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1218.007 | Msiexec |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1218.007 | Msiexec | |
| CM-05 | Access Restrictions for Change | mitigates | T1218.007 | Msiexec | |
| CM-02 | Baseline Configuration | mitigates | T1218.007 | Msiexec | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1218.007 | Msiexec | |
| CM-07 | Least Functionality | mitigates | T1218.007 | Msiexec | |
| AC-02 | Account Management | mitigates | T1218.007 | Msiexec | |
| AC-03 | Access Enforcement | mitigates | T1218.007 | Msiexec | |
| AC-05 | Separation of Duties | mitigates | T1218.007 | Msiexec | |
| AC-06 | Least Privilege | mitigates | T1218.007 | Msiexec |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1218.007 | Msiexec |