Skip to content

Hide Navigation Hide TOC

Msiexec (9d00d3c4-9a01-403a-9275-c94960fd871f)

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to execute msi files

Author: Oddvar Moe

Paths: * C:\Windows\System32\msiexec.exe * C:\Windows\SysWOW64\msiexec.exe

Resources: * https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ * https://twitter.com/PhilipTsukerman/status/992021361106268161 * https://badoption.eu/blog/2023/10/03/MSIFortune.html

Detection: * Sigma: proc_creation_win_msiexec_web_install.yml * Sigma: proc_creation_win_msiexec_masquerading.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * Splunk: uninstall_app_using_msiexec.yml * IOC: msiexec.exe retrieving files from Internet[LOLBAS Msiexec]

Cluster A Galaxy A Cluster B Galaxy B Level
Rancor (021b3c71-6467-4e46-a413-8b726f066f2c) Tidal Groups Msiexec (9d00d3c4-9a01-403a-9275-c94960fd871f) Tidal Software 1
TA505 (b3220638-6682-4a4e-ab64-e7dc4202a3f1) Tidal Groups Msiexec (9d00d3c4-9a01-403a-9275-c94960fd871f) Tidal Software 1
ZIRCONIUM (5e34409e-2f55-4384-b519-80747d02394c) Tidal Groups Msiexec (9d00d3c4-9a01-403a-9275-c94960fd871f) Tidal Software 1
Molerats (679b7b6b-9659-4e56-9ffd-688a6fab01b6) Tidal Groups Msiexec (9d00d3c4-9a01-403a-9275-c94960fd871f) Tidal Software 1
Machete (a3be79a2-3d4f-4697-a8a1-83f0884220af) Tidal Groups Msiexec (9d00d3c4-9a01-403a-9275-c94960fd871f) Tidal Software 1