title: Installer Packages (T1546.016)
id: df00tech-t1546-016
status: experimental
description: "Adversaries may establish persistence and elevate privileges by using an installer package to execute malicious content. Installer packages are setup utilities for applications bundled with an installer utility and can be distributed through legitimate channels. Malicious code can be embedded within installer packages to create backdoors and establish persistence. Installer utilities such as msiexec.exe (Windows MSI), macOS pkgutil, and Linux dpkg/rpm allow adversaries to run pre-install and post-install scripts. These scripts can execute arbitrary code with elevated privileges during the installation process. Additionally, malicious code within the installer can establish persistence by deploying backdoors as scheduled tasks, services, or startup items."
references:
  - https://attack.mitre.org/techniques/T1546/016/
  - https://df00tech.com/detections/T1546.016
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.016
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software installers that download additional components during installation (e.g., Visual Studio, Adobe products, game installers)"
  - "Package managers (npm, pip, cargo) that run pre/post-install scripts as part of package installation"
  - "Enterprise software deployment tools (SCCM, Intune, Munki, Chocolatey) that execute scripts as part of managed software installation"
  - Development toolchains that compile code or configure environments during installation via shell scripts
level: high