T1218.007 IBM QRadar · QRadar

Detect Msiexec in IBM QRadar

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is commonly associated with executing installation packages (.msi). Since it is a signed Microsoft binary, msiexec.exe can bypass application control solutions. Adversaries use it to launch local or remote MSI files and to execute DLLs. Execution may also be elevated to SYSTEM if the AlwaysInstallElevated policy is enabled. Widely abused by malware families including QakBot, IcedID, Emotet, Clop, Maze, Ragnar Locker, Latrodectus, Raspberry Robin, TA505, Rancor, ZIRCONIUM, and many others.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.007 Msiexec
Canonical reference
https://attack.mitre.org/techniques/T1218/007/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS User,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  CASE WHEN REGEXP_MATCH("Command", '(?i)http[s]?://|ftp://') THEN 1 ELSE 0 END AS RemoteMSI,
  CASE WHEN REGEXP_MATCH("Command", '(?i)\s/y\s') THEN 1 ELSE 0 END AS DLLExec,
  CASE WHEN REGEXP_MATCH("Command", '(?i)(/q |/quiet |/passive )') THEN 1 ELSE 0 END AS SilentInstall,
  CASE WHEN REGEXP_MATCH("Command", '(?i)(temp|appdata|downloads|public|desktop)') THEN 1 ELSE 0 END AS SuspiciousPath,
  CASE WHEN REGEXP_MATCH("Parent Process Name", '(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe') THEN 1 ELSE 0 END AS SuspiciousParent,
  CASE WHEN REGEXP_MATCH("Command", '[A-Z]+=[a-zA-Z0-9+/]{10,}') THEN 1 ELSE 0 END AS PropertyPair
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND LOWER("Process Name") LIKE '%msiexec.exe'
  AND (
    REGEXP_MATCH("Command", '(?i)http[s]?://|ftp://')
    OR REGEXP_MATCH("Command", '(?i)\s/y\s')
    OR (
      REGEXP_MATCH("Command", '(?i)(/q |/quiet |/passive )')
      AND REGEXP_MATCH("Command", '(?i)(temp|appdata|downloads|public|desktop)')
    )
    OR REGEXP_MATCH("Parent Process Name", '(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe')
  )
START '%LastHour%' STOP '%Now%'
ORDER BY devicetime DESC
high severity high confidence

Detects T1218.007 msiexec.exe proxy execution abuse using IBM QRadar AQL against Windows Security Event Log and Sysmon DSM log sources. Scores risk indicators including remote MSI URLs, DLL registration, silent installs from suspicious paths, and Office or scripting engine parent processes. Requires Sysmon DSM or Windows Security Event Log DSM with Process Name and Command field extraction configured.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log DSMSysmon DSM for QRadar

Required Tables

events

False Positives & Tuning

  • Enterprise deployment tooling (SCCM, Ivanti, Altiris) silently installing MSI packages, triggering both SilentInstall and SuspiciousPath when staging directories overlap with Temp or AppData
  • Help desk remote support tools (ConnectWise, AnyDesk installer) launched by support engineers via PowerShell remote sessions, triggering SuspiciousParent on powershell.exe
  • Developer workstation setup scripts that download and run vendor MSI packages from internal HTTP artifact servers (Nexus, Artifactory), triggering RemoteMSI on internal URLs
Download portable Sigma rule (.yml)

Other platforms for T1218.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Msiexec Remote MSI Execution

    Expected signal: Sysmon Event ID 1: msiexec.exe with URL and /q flag. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080. Security Event ID 4688. The installation will fail (no server) but the process creation event fires.

  2. Test 2Msiexec DLL Execution via /y Flag

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: msiexec.exe with /y flag and Temp path. Sysmon Event ID 7 (Image Load) for the DLL being loaded by msiexec.

  3. Test 3Msiexec Silent Install from Temp Directory via PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe, then msiexec.exe with /q and Temp path, ParentImage=powershell.exe. Both SuspiciousParent and SuspiciousPath fire. Security Event ID 4688 for both.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1548.002Bypass User Account ControlT1059.001PowerShellT1105Ingress Tool TransferT1543.003Windows ServiceT1218.010Regsvr32T1218.008Odbcconf

Same Tactic: Defense Evasion

Popular Detections