Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.
Attacker's Goals
Evading security controls and executing arbitrary files from the web.
Investigative actions
- Is the URL that is encoded in the command line trusted.
- Is executed DLL or MSI file known as legitimate.
- Is the initiating process legitimate and the user running it knows of its use.
Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.