Detect Msiexec in Elastic Security
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is commonly associated with executing installation packages (.msi). Since it is a signed Microsoft binary, msiexec.exe can bypass application control solutions. Adversaries use it to launch local or remote MSI files and to execute DLLs. Execution may also be elevated to SYSTEM if the AlwaysInstallElevated policy is enabled. Widely abused by malware families including QakBot, IcedID, Emotet, Clop, Maze, Ragnar Locker, Latrodectus, Raspberry Robin, TA505, Rancor, ZIRCONIUM, and many others.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.007 Msiexec
- Canonical reference
- https://attack.mitre.org/techniques/T1218/007/
Elastic Detection Query
process where event.type == "start"
and process.name : "msiexec.exe"
and (
process.command_line : ("*http://*", "*https://*", "*ftp://*")
or process.command_line : "* /y *"
or (
process.command_line : ("*/q *", "*/quiet *", "*/passive *")
and process.command_line : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*Desktop*")
)
or process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
)Detects T1218.007 msiexec.exe abuse for proxy execution using Elastic Common Schema process events. Identifies remote MSI loading via URL schemes, DLL registration via /y flag, silent installs from suspicious staging directories, and execution spawned from Office or scripting engine parent processes. Covers malware families including QakBot, IcedID, Emotet, and Latrodectus.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment via SCCM, Intune, or PDQ Deploy that silently installs MSI packages from internal HTTP artifact repositories or UNC share staging paths under AppData
- IT automation frameworks (Ansible, Chef, Puppet) wrapping msiexec with /quiet flags and staging installers in %TEMP% or %PUBLIC% before execution
- Legitimate patch management agents (Ivanti Neurons, ManageEngine Patch Manager) that spawn msiexec from PowerShell helper scripts with silent install flags
Other platforms for T1218.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Msiexec Remote MSI Execution
Expected signal: Sysmon Event ID 1: msiexec.exe with URL and /q flag. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080. Security Event ID 4688. The installation will fail (no server) but the process creation event fires.
- Test 2Msiexec DLL Execution via /y Flag
Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: msiexec.exe with /y flag and Temp path. Sysmon Event ID 7 (Image Load) for the DLL being loaded by msiexec.
- Test 3Msiexec Silent Install from Temp Directory via PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe, then msiexec.exe with /q and Temp path, ParentImage=powershell.exe. Both SuspiciousParent and SuspiciousPath fire. Security Event ID 4688 for both.
References (6)
- https://attack.mitre.org/techniques/T1218/007/
- https://lolbas-project.github.io/lolbas/Binaries/Msiexec/
- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
- https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md
Unlock Pro Content
Get the full detection package for T1218.007 including response playbook, investigation guide, and atomic red team tests.