Uncommon msiexec execution of an arbitrary file from a remote location

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-10

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	System Binary Proxy Execution: Msiexec (T1218.007)
Severity	Low

Description

Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.

Attacker's Goals

Evading security controls and executing arbitrary files from the web.

Investigative actions

Check if the the URL that is encoded in the command line is trusted.
Determine if the executed DLL or MSI file is known as legitimate.
Confirm whether the initiating process is legitimate and if the user running it knows of its use.
Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.

Variations

Suspicious msiexec execution on an internet-facing endpoint

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	System Binary Proxy Execution: Msiexec (T1218.007)
Severity	Low

Description

Suspicious msiexec execution of an arbitrary file from the web on an internet-facing server.

Attacker's Goals

Evading security controls and executing arbitrary files from the web.

Investigative actions

Check if the the URL that is encoded in the command line is trusted.
Determine if the executed DLL or MSI file is known as legitimate.
Confirm whether the initiating process is legitimate and if the user running it knows of its use.
Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.