{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-installer/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Installer"],"_cs_severities":["low"],"_cs_tags":["msiexec","remote-file-execution","initial-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a built-in Windows component used for installing, modifying, and removing software. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files, bypassing security controls and potentially leading to initial access or defense evasion. This activity is often part of a broader attack chain, used to deliver and execute malicious payloads. The detection rule provided by Elastic identifies suspicious msiexec.exe activity by monitoring process starts, network connections, and child processes. It filters out known benign signatures and paths to highlight potential misuse. This detection is designed to work with Elastic Defend data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via phishing (T1566) or other means to execute commands on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses msiexec.exe with the \u003ccode\u003e/V\u003c/code\u003e parameter to initiate the installation of a remote MSI package. This allows the attacker to bypass typical execution restrictions.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe attempts a network connection (T1105) to retrieve the remote MSI package from a malicious server.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe spawns a child process to handle the installation of the downloaded MSI package.\u003c/li\u003e\n\u003cli\u003eThe spawned child process executes malicious code embedded within the MSI package.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as installing malware, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system for further lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and further compromise of the affected system and network. While this specific rule has a low risk score, it can be an early indicator of more serious attacks. It is crucial to investigate any alerts generated by this rule to determine the full scope and impact of the potential compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect suspicious usage of \u003ccode\u003emsiexec.exe\u003c/code\u003e to install remote packages. Tune the rule for your environment by adding exceptions for legitimate software installation processes.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and network connection logging on Windows endpoints to provide the necessary data for the Sigma rule to function effectively (Data Source: Elastic Defend).\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;Possible investigation steps\u0026rdquo; section in the Elastic rule\u0026rsquo;s documentation to investigate potential false positives and legitimate uses of \u003ccode\u003emsiexec.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized applications, including potentially malicious MSI packages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-msiexec-remote-install/","summary":"The rule detects the execution of the built-in Windows Installer, msiexec.exe, to install a remote package potentially abused by adversaries for initial access and defense evasion.","title":"Potential Remote File Execution via MSIEXEC","url":"https://feed.craftedsignal.io/briefs/2026-05-msiexec-remote-install/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Sysmon","Windows Installer"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","msiexec"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft"],"content_html":"\u003cp\u003eAdversaries may abuse the Windows Installer service (msiexec.exe) to proxy the execution of malicious payloads, effectively bypassing application control and other security mechanisms. This technique, known as \u0026ldquo;Msiexec\u0026rdquo; proxy execution (T1218.007), involves using msiexec.exe to execute malicious DLLs or scripts. The detection focuses on identifying child processes spawned by MsiExec, particularly those exhibiting network activity. This behavior is atypical for legitimate software installations and updates, making it a strong indicator of potential malicious use. Defenders should be aware of this technique as it allows attackers to blend in with legitimate system processes. The Elastic detection rule, updated on 2026-05-04, aims to identify this suspicious activity across multiple data sources including Elastic Defend, Sysmon, and SentinelOne.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eAttacker leverages msiexec.exe to execute a malicious MSI package with a \u003ccode\u003e/v\u003c/code\u003e parameter, commonly used to pass verbose logging options, potentially hiding malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious MSI package contains custom actions that execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe spawns a child process (e.g., powershell.exe, cmd.exe, or another executable) to carry out malicious actions.\u003c/li\u003e\n\u003cli\u003eThe child process establishes a network connection to an external server or performs DNS lookups, possibly for command and control (C2) communication or to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the network connection to download and execute further tools or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass application control and execute arbitrary code on the system. This can lead to malware installation, data theft, or complete system compromise. While the exact number of victims is not specified in the provided source, the technique can be applied across various sectors. The impact can range from individual workstation compromises to large-scale breaches affecting entire organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMsiExec Child Process with Unusual Executable and Network Connection\u003c/code\u003e to detect suspicious msiexec.exe child processes initiating network connections based on unusual executable paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and network connection logging (Event ID 3) to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process tree, command-line arguments, and network destinations.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installations and automated deployment tools that use MsiExec and require network access to minimize false positives, as detailed in the \u0026ldquo;False positive analysis\u0026rdquo; section of the source material.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-msiexec-network-connection/","summary":"Detection of MsiExec spawning child processes that initiate network connections, potentially indicating abuse of Windows Installers for malware delivery and defense evasion.","title":"MsiExec Child Process Spawning Network Connections for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-10-msiexec-network-connection/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Installer","version":"https://jsonfeed.org/version/1.1"}