This note documents detection patterns related to MSI Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects msiexec.exe execution and arguments. |
| Sysmon | 1 | Process creation | Critical | Best source for parent lineage and command line. |
| Sysmon | 3 | Network connection | Critical | Remote MSI retrieval via HTTP/HTTPS/SMB. |
| Sysmon | 11 | File create | High | MSI payload writes or extracted files. |
| Sysmon | 7 | Image loaded | Medium | DLL loads during MSI custom action abuse. |
| Application | 1033 / MsiInstaller | High | MSI install records if logging enabled. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Remote MSI URL | msiexec /i http://... | Critical | Strong malicious signal. |
| Silent install flags | /qn, /quiet | High | Common stealth flags. |
| MSI launches shell | cmd / powershell child | Critical | Custom action abuse. |
| User temp MSI | Payload in temp/AppData | High | Common staging path. |
| Unexpected parent | Office, browser, script host | Critical | Strong anomaly. |
| Short install then persistence | Service/task follows | Critical | Staged implant clue. |
Common Tools
| Tool | Usage |
|---|---|
| msiexec.exe | Native MSI execution |
| custom MSI packages | Payload delivery |
| PowerShell | MSI wrapper execution |
| browser | Download + launch MSI |
Relevant Artifacts
- Security Event ID 4688
- Sysmon Event IDs 1, 3, 7, 11
- Application log:
MsiInstaller
- Prefetch:
MSIEXEC.EXE
- MSI files
- Amcache / ShimCache
- MFT / USN for MSI path
- EDR process tree
MITRE ATT&CK References
- T1218.007 Msiexec
Decision Tree
-
Local or remote MSI?
- Local file
- URL
- Share
-
Silent flags present?
/qn/quiet
-
Child processes?
- cmd
- powershell
- service install
-
Parent suspicious?
- Office
- Browser
- Script host
-
Expand:
- Extracted files
- Persistence
- Network
-
Scope:
- Single MSI
- Campaign installer
- Multi-host deployment
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where NewProcessName endswith "msiexec.exe"
| project TimeGenerated, Computer, ParentProcessName, CommandLine
Sysmon
| where EventID == 3
| where Image endswith "\\msiexec.exe"
| project TimeGenerated, Computer, DestinationIp, DestinationPort
EQL
process where process.name == "msiexec.exe"
sequence by host.name with maxspan=5m
[ process where process.name == "msiexec.exe" ]
[ network where process.name == "msiexec.exe" ]
Sigma
title: MSI Abuse Detection
id: 9a2c7d31-msi-abuse
status: experimental
description: Detects suspicious msiexec usage
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
NewProcessName|endswith: '\msiexec.exe'
condition: selection
fields:
- ParentProcessName
- CommandLine
falsepositives:
- Legitimate software installs
level: medium
tags:
- attack.execution
- attack.t1218.007
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| MSI command monitoring | Alert on remote installs | Critical | Strong signal |
| Silent install detection | Flag /qn usage | High | Valuable anomaly |
| Parent-child monitoring | Watch unusual launchers | Critical | Strong context |
| Application control | Restrict unsigned MSI | High | Reduce abuse |
| Preserve installer logs | Valuable forensic source | High | Helps reconstruction |