T1546.016

Installer Packages

Adversaries may establish persistence and elevate privileges by using an installer package to execute malicious content. Installer packages are setup utilities for applications bundled with an installer utility and can be distributed through legitimate channels. Malicious code can be embedded within installer packages to create backdoors and establish persistence. Installer utilities such as msiexec.exe (Windows MSI), macOS pkgutil, and Linux dpkg/rpm allow adversaries to run pre-install and post-install scripts. These scripts can execute arbitrary code with elevated privileges during the installation process. Additionally, malicious code within the installer can establish persistence by deploying backdoors as scheduled tasks, services, or startup items.

Microsoft Sentinel / Defender

kusto

let MsiScriptPatterns = dynamic([
    "powershell", "cmd.exe", "wscript", "cscript", "mshta",
    "certutil", "bitsadmin", "Invoke-WebRequest", "DownloadString",
    "Net.WebClient", "curl", "wget"
  ]);
let InstallerChildren = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("msiexec.exe", "installer", "pkgutil", "dpkg", "rpm", "yum", "apt")
| where FileName in~ (
    "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "certutil.exe", "bitsadmin.exe", "bash", "sh", "python3", "python"
  )
| extend SuspiciousCommand = ProcessCommandLine has_any (MsiScriptPatterns)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, SuspiciousCommand;
let MsiDownloadIndicators = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("msiexec.exe", "installer")
| where RemoteIPType == "Public"
| project NetTime=Timestamp, DeviceName, AccountName, RemoteIP, RemotePort, InitiatingProcessFileName;
union (InstallerChildren | extend EventType="INSTALLER_CHILD_PROCESS"),
      (MsiDownloadIndicators | extend EventType="INSTALLER_NETWORK_ACTIVITY")
| sort by Timestamp desc, NetTime desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate software installers that download additional components during installation (e.g., Visual Studio, Adobe products, game installers)
Package managers (npm, pip, cargo) that run pre/post-install scripts as part of package installation
Enterprise software deployment tools (SCCM, Intune, Munki, Chocolatey) that execute scripts as part of managed software installation
Development toolchains that compile code or configure environments during installation via shell scripts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  LOGSOURCENAME(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  "ParentProcessPath" AS ParentProcess,
  "ProcessPath" AS ChildProcess,
  "CommandLine" AS CommandLine,
  CASE
    WHEN LOWER("CommandLine") ILIKE '%invoke-webrequest%'
      OR LOWER("CommandLine") ILIKE '%downloadstring%'
      OR LOWER("CommandLine") ILIKE '%net.webclient%' THEN 'INSTALLER_DOWNLOAD_CRADLE'
    WHEN LOWER("CommandLine") ILIKE '%-encodedcommand%'
      OR LOWER("CommandLine") ILIKE '%certutil%urlcache%'
      OR LOWER("CommandLine") ILIKE '%bitsadmin%transfer%' THEN 'INSTALLER_ENCODED_EXECUTION'
    WHEN LOWER("ProcessPath") ILIKE '%powershell%'
      OR LOWER("ProcessPath") ILIKE '%cmd.exe%'
      OR LOWER("ProcessPath") ILIKE '%wscript%'
      OR LOWER("ProcessPath") ILIKE '%bash%'
      OR LOWER("ProcessPath") ILIKE '%python%' THEN 'INSTALLER_SCRIPT_CHILD'
    ELSE 'INSTALLER_NETWORK_CALLBACK'
  END AS DetectionType
FROM events
WHERE LOGSOURCETYPEID IN (12, 14, 352)
  AND (
    (
      (
        LOWER("ParentProcessPath") ILIKE '%msiexec.exe%'
        OR LOWER("ParentProcessPath") ILIKE '%installer%'
        OR LOWER("ParentProcessPath") ILIKE '%dpkg%'
        OR LOWER("ParentProcessPath") ILIKE '%rpm%'
        OR LOWER("ParentProcessPath") ILIKE '%pkgutil%'
        OR LOWER("ParentProcessPath") ILIKE '%chocolatey%'
        OR LOWER("ParentProcessPath") ILIKE '%winget%'
      )
      AND (
        LOWER("ProcessPath") ILIKE '%powershell.exe%'
        OR LOWER("ProcessPath") ILIKE '%pwsh.exe%'
        OR LOWER("ProcessPath") ILIKE '%cmd.exe%'
        OR LOWER("ProcessPath") ILIKE '%wscript.exe%'
        OR LOWER("ProcessPath") ILIKE '%cscript.exe%'
        OR LOWER("ProcessPath") ILIKE '%mshta.exe%'
        OR LOWER("ProcessPath") ILIKE '%certutil.exe%'
        OR LOWER("ProcessPath") ILIKE '%bitsadmin.exe%'
        OR LOWER("ProcessPath") ILIKE '%bash%'
        OR LOWER("ProcessPath") ILIKE '%python%'
      )
    )
    OR (
      (
        LOWER("ParentProcessPath") ILIKE '%msiexec.exe%'
        OR LOWER("ParentProcessPath") ILIKE '%installer%'
      )
      AND (
        LOWER("CommandLine") ILIKE '%invoke-webrequest%'
        OR LOWER("CommandLine") ILIKE '%downloadstring%'
        OR LOWER("CommandLine") ILIKE '%net.webclient%'
        OR LOWER("CommandLine") ILIKE '%-encodedcommand%'
        OR LOWER("CommandLine") ILIKE '%certutil%urlcache%'
        OR LOWER("CommandLine") ILIKE '%bitsadmin%transfer%'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log (EventID 4688) Microsoft Sysmon (EventID 1, 3) Linux auditd via QRadar DSM

Required Tables

events

False Positives

Enterprise application suites (SAP, Oracle, Salesforce desktop) using PowerShell custom actions in MSI installers for license validation and service registration at elevated privilege
Configuration management tools (SCCM, Ansible WinRM modules, Puppet) triggering MSI deployments that chain into PowerShell for environment and dependency setup
Developer SDK installers (Python, Node.js, .NET SDK, JDK) executing cmd.exe or PowerShell to update PATH environment variables and register shell extensions

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*linux* OR _sourceCategory=*macos*)
| parse regex "(?:ParentImage|ParentProcessName|ParentProcessPath)=(?P<ParentProcess>[^\n\r]+)" nodrop
| parse regex "(?:Image|NewProcessName|ProcessPath|CommandPath)=(?P<ChildProcess>[^\n\r]+)" nodrop
| parse regex "(?:CommandLine|NewProcessCommandLine|ProcessCommandLine)=(?P<CommandLine>[^\n\r]+)" nodrop
| where (
    matches(toLowerCase(ParentProcess), "*(msiexec*|*installer*|*pkgutil*|*dpkg*|*rpm*|*yum*|*apt*|*chocolatey*|*winget*)")
    AND (
      matches(toLowerCase(ChildProcess), "*(powershell*|*pwsh*|*cmd.exe*|*wscript*|*cscript*|*mshta*|*certutil*|*bitsadmin*|*bash*|*python*)")
      OR matches(toLowerCase(CommandLine), "*(invoke-webrequest*|*downloadstring*|*net.webclient*|*-encodedcommand*|*certutil*urlcache*|*bitsadmin*transfer*)")
    )
  )
| eval DetectionType = if(
    matches(toLowerCase(CommandLine), "*(invoke-webrequest*|*downloadstring*|*net.webclient*)") AND matches(toLowerCase(ChildProcess), "*(powershell*|*cmd*|*bash*)"),
    "INSTALLER_DOWNLOAD_CRADLE",
    if(
      matches(toLowerCase(CommandLine), "*(-encodedcommand*|*certutil*urlcache*|*bitsadmin*transfer*)"),
      "INSTALLER_ENCODED_EXECUTION",
      if(
        matches(toLowerCase(ChildProcess), "*(powershell*|*pwsh*|*cmd.exe*|*wscript*|*cscript*|*bash*|*python*)"),
        "INSTALLER_SCRIPT_CHILD",
        "INSTALLER_SUSPICIOUS_ACTIVITY"
      )
    )
  )
| fields _messageTime, _sourceHost, EventID, DetectionType, ChildProcess, CommandLine, ParentProcess
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Event Logs via Sumo Logic Windows Agent (Sysmon EventID 1, Security EventID 4688) Linux auditd via Sumo Logic Installed Collector macOS Unified Logs via Sumo Logic macOS Agent

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*linux* _sourceCategory=*macos*

False Positives

Software vendors embedding PowerShell or shell scripts in MSI/pkg post-install phases for legitimate product configuration — for example, antivirus kernel extension registration or IDE plugin setup
Linux dpkg and rpm maintainer scripts (postinst, preinst, postrm) executing bash commands as a standard part of package management, particularly for system packages that modify init scripts or cron entries
macOS .pkg installers running post-install shell scripts to move application bundles, create symlinks in /usr/local/bin, or write launch daemon plists as part of normal app setup

Google Chronicle / SecOps

yaral

rule T1546_016_installer_package_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects installer packages (msiexec, dpkg, rpm, pkgutil, apt, chocolatey, winget) spawning script interpreters or executing download cradle commands — T1546.016 Installer Package Persistence and Privilege Escalation"
    mitre_attack_technique = "T1546.016"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-20"
    reference = "https://attack.mitre.org/techniques/T1546/016/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex(
      $e.principal.process.file.full_path,
      `(?i)(msiexec\.exe|/installer|pkgutil|/dpkg|/rpm|/yum|apt-get|/apt\b|chocolatey|winget)`
    )
    (
      re.regex(
        $e.target.process.file.full_path,
        `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|/bash|/sh$|python3?$)`
      )
      or
      re.regex(
        $e.target.process.command_line,
        `(?i)(invoke-webrequest|downloadstring|net\.webclient|-encodedcommand|certutil.{0,20}urlcache|bitsadmin.{0,20}transfer|curl.{0,30}https?://|wget.{0,30}https?://)`
      )
    )
    $hostname = $e.principal.hostname

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events) Windows Sysmon forwarded via Chronicle ingestion Elastic/CrowdStrike EDR normalized to Chronicle UDM

Required Tables

UDM PROCESS_LAUNCH events with principal.process and target.process populated

False Positives

Enterprise application installers (SAP Business One, Oracle Database, Salesforce DX) that use PowerShell custom actions for elevated post-install configuration tasks such as IIS module registration or COM component activation
IT automation platforms (Ansible Windows WinRM modules, Puppet Bolt) driving MSI deployments that chain into PowerShell for environment setup or registry key configuration
Developer toolchain installers (Python Anaconda, Node.js, .NET SDK, Android SDK) executing shell scripts or cmd.exe to configure PATH, JAVA_HOME, and other system-wide environment variables

CrowdStrike LogScale (CQL)

cql

(#event_simpleName=ProcessRollup2 OR #event_simpleName=NetworkConnectIP4)
| case {
    #event_simpleName=ProcessRollup2
    ParentBaseFileName=/(?i)(msiexec\.exe|installer|pkgutil|dpkg|rpm|yum|apt-get|apt|chocolatey|winget)/
    (
      FileName=/(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|bash|sh|python)/
      OR CommandLine=/(?i)(invoke-webrequest|downloadstring|net\.webclient|-encodedcommand|certutil.{0,20}urlcache|bitsadmin.{0,20}transfer|curl.{0,30}https?:\/\/|wget.{0,30}https?:\/\/)/
    )
    | EventType:=if(
        CommandLine=/(?i)(invoke-webrequest|downloadstring|net\.webclient|-encodedcommand)/,
        "INSTALLER_DOWNLOAD_CRADLE",
        if(
          CommandLine=/(?i)(certutil.{0,20}urlcache|bitsadmin.{0,20}transfer)/,
          "INSTALLER_ENCODED_EXECUTION",
          "INSTALLER_SCRIPT_CHILD"
        )
      );
    #event_simpleName=NetworkConnectIP4
    ImageFileName=/(?i)(msiexec\.exe|installer)/
    NOT RemoteAddressIP4=/^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1)/
    | EventType:="INSTALLER_NETWORK_CALLBACK";
    * | drop()
  }
| groupBy(
    [ComputerName, UserName, EventType, ParentBaseFileName, FileName, CommandLine, RemoteAddressIP4],
    function=count(aid, as=EventCount)
  )
| sort(EventCount, order=desc, limit=200)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection — ProcessRollup2 telemetry CrowdStrike Falcon Network Containment — NetworkConnectIP4 telemetry

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Legitimate software update mechanisms (Windows Update orchestrator, third-party auto-updaters like Zoom, Slack, or Chrome) invoking msiexec as a child process that then calls PowerShell for staged component updates
Software packaging frameworks (WiX Toolset, NSIS, InstallShield) generating MSI wrappers that invoke cmd.exe or PowerShell for component registration, GAC assembly installation, or driver signing verification
Corporate device enrollment workflows (Windows Autopilot, Jamf Pro) where installer packages execute PowerShell or bash to apply configuration profiles, install certificates, or join endpoint management systems

Last updated: 2026-04-20 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1546.016 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1546Event Triggered Execution

Related Sub-techniques

T1546.001Change Default File Association T1546.002Screensaver T1546.003Windows Management Instrumentation Event Subscription T1546.004Unix Shell Configuration Modification T1546.005Trap T1546.006LC_LOAD_DYLIB Addition T1546.007Netsh Helper DLL T1546.008Accessibility Features T1546.009AppCert DLLs T1546.010AppInit DLLs T1546.011Application Shimming T1546.012Image File Execution Options Injection T1546.013PowerShell Profile T1546.014Emond T1546.015Component Object Model Hijacking T1546.017Udev Rules T1546.018Python Startup Hooks

Installer Packages

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections