MITRE ATT&CK Technique
Description
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-24T14:38:49.266Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse msiexec.exe to proxy execution of '
'malicious payloads. Msiexec.exe is the command-line utility '
'for the Windows Installer and is thus commonly associated '
'with executing installation packages (.msi).(Citation: '
'Microsoft msiexec) The Msiexec.exe binary may also be '
'digitally signed by Microsoft.\n'
'\n'
'Adversaries may abuse msiexec.exe to launch local or network '
'accessible MSI files. Msiexec.exe can also execute '
'DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec '
'Feb 2018) Since it may be signed and native on Windows '
'systems, msiexec.exe can be used to bypass application '
'control solutions that do not account for its potential '
'abuse. Msiexec.exe execution may also be elevated to SYSTEM '
'privileges if the <code>AlwaysInstallElevated</code> policy '
'is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)',
'external_references': [{'external_id': 'T1218.007',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1218/007'},
{'description': 'Co, M. and Sison, G. (2018, February '
'8). Attack Using Windows Installer '
'msiexec.exe leads to LokiBot. '
'Retrieved April 18, 2019.',
'source_name': 'TrendMicro Msiexec Feb 2018',
'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/'},
{'description': 'LOLBAS. (n.d.). Msiexec.exe. '
'Retrieved April 18, 2019.',
'source_name': 'LOLBAS Msiexec',
'url': 'https://lolbas-project.github.io/lolbas/Binaries/Msiexec/'},
{'description': 'Microsoft. (2017, October 15). '
'msiexec. Retrieved January 24, 2020.',
'source_name': 'Microsoft msiexec',
'url': 'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec'},
{'description': 'Microsoft. (2018, May 31). '
'AlwaysInstallElevated. Retrieved '
'December 14, 2020.',
'source_name': 'Microsoft AlwaysInstallElevated 2018',
'url': 'https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated'}],
'id': 'attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:38.626Z',
'name': 'Msiexec',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Ziv Kaspersky, Cymptom', 'Alexandros Pappas'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '2.1'}