Adversaries may abuse msiexec.exe to execute malicious PowerShell commands for persistence or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise through indirect execution methods.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
//Looking for PowerShell
| where FileName =~ "powershell.exe"
//Looking for %temp% in the command line indicating deployment
and ProcessCommandLine contains "%temp%"//Find credential theft attempts using Msiexec to run Mimikatz commands
id: 1189dc7d-6d2a-4aa9-ad5f-bebed51474d9
name: detect-malicious-use-of-msiexec-powershell
description: |
This query was originally published in the threat analytics report, Msiexec abuse.
Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks.
The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool.
Reference - https://www.varonis.com/blog/what-is-mimikatz/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Privilege escalation
- Credential Access
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
//Looking for PowerShell
| where FileName =~ "powershell.exe"
//Looking for %temp% in the command line indicating deployment
and ProcessCommandLine contains "%temp%"//Find credential theft attempts using Msiexec to run Mimikatz commands
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance via MSI
Description: A legitimate system maintenance task uses msiexec.exe to install a trusted update or patch via an .msi file.
Filter/Exclusion: ProcessCommandLine contains "msiexec /i" AND ProcessFileName contains "C:\Windows\System32\msiexec.exe" AND ProcessParentProcessName contains "Task Scheduler"
Scenario: Software Deployment via Group Policy
Description: An IT admin uses msiexec.exe to deploy software via Group Policy, which is a common enterprise practice.
Filter/Exclusion: ProcessCommandLine contains "msiexec /i" AND ProcessFileName contains "C:\Windows\System32\msiexec.exe" AND ProcessParentProcessName contains "msiexec" OR ProcessParentProcessName contains "gpupdate"
Scenario: PowerShell Script Invoking MSI for Automation
Description: A PowerShell script is used to automate the installation of an enterprise application using msiexec.exe, which is a valid use case.
Filter/Exclusion: ProcessCommandLine contains "powershell.exe" AND ProcessParentProcessName contains "msiexec" OR ProcessCommandLine contains "msiexec /i" AND ProcessFileName contains "C:\Windows\System32\msiexec.exe" AND ProcessParentProcessName contains "powershell.exe"
Scenario: MSI File Installation by a Trusted Admin Tool
Description: A trusted admin tool (e.g., Microsoft Endpoint Configuration Manager) uses msiexec.exe to install software on endpoints.
Filter/Exclusion: ProcessCommandLine contains "msiexec /i" AND ProcessFileName contains "C:\Windows\System32\msiexec.exe" AND ProcessParentProcessName contains "Configuration Manager" OR ProcessParentProcessName contains "SCCMD"
**Scenario: MSI