Windows Installer exploitation for local privilege escalation

Cortex XDR Analytics Alert Reference by Alert name

Cortex XDR
Last date published
Analytics Alert Reference
Alert name


Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Exploitation for Privilege Escalation (T1068)




The Windows installer (msiexec.exe) was likely exploited to run a malicious rollback script (.rbs file) instead of the original.
Users should not be able to modify config.msi during the installation process, only SYSTEM should have access to it.

Attacker's Goals

An attacker is attempting to gain SYSTEM privileges.

Investigative actions

  • Investigate the actor process SID and path and whether it's benign or normal for this host.
  • This action is not common, but allowed on Windows versions older than Windows 8. On those systems, check the file reputation for both the CGO and OS actor executables that ran the installation.