Potential MsiExec Masquerading

About the rule

Rule Type

Standard

Rule Description

Masquerading using msiexec.exe involves abusing the legitimate Windows Installer binary to execute malicious payloads under the guise of a trusted process. Adversaries may supply command-line arguments that download and install a remote MSI package or execute embedded scripts. Since msiexec.exe is a signed Microsoft binary, it can be used to bypass application allowlisting and avoid detection in environments that trust native Windows processes. This technique is often seen in fileless attacks and living-off-the-land (LotL) scenarios.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Command and Control → Lateral Movement

Impact

• Defense Evasion
• Privilege Escalation
• Lateral movement
• Data Exfiltration

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Masquerading - Match Legitimate Name or Location (T1036.005)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01 (Networks and network services are monitored to find potentially adverse events)

When this rule is triggered, you're alerted to the execution of msiexec.exe in contexts that suggest potential masquerading—such as unusual command-line arguments or uncommon parent processes.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

Some enterprise software and patch management tools may invoke msiexec.exe with non-standard flags or via scripting tools, which can appear suspicious but are benign.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Look for unusual or renamed instances of msiexec.exe with non-standard command-line arguments or unexpected parent processes.
• Analysis: Examine associated file paths, payloads, and network connections using EDR tools, process dump analysis, or sandboxing.
• Response: Terminate the process and isolate the affected system, remove any dropped payloads and clean persistence mechanisms.
• Restrict execution of msiexec.exe to administrative or trusted users only via Group Policy or endpoint controls.

Mitigation

-