T1218.007 Msiexec Mappings

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1218.007 Msiexec
AC-3 Access Enforcement Protects T1218.007 Msiexec
AC-5 Separation of Duties Protects T1218.007 Msiexec
AC-6 Least Privilege Protects T1218.007 Msiexec
CM-2 Baseline Configuration Protects T1218.007 Msiexec
CM-5 Access Restrictions for Change Protects T1218.007 Msiexec
CM-6 Configuration Settings Protects T1218.007 Msiexec
CM-7 Least Functionality Protects T1218.007 Msiexec
IA-2 Identification and Authentication (organizational Users) Protects T1218.007 Msiexec
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.007 Signed Binary Proxy Execution: Msiexec