AN0940: Analytic 0940
Detection of msiexec.exe running installer packages that result in anomalous process creation. Look for unexpected binaries executed by msiexec or custom action DLLs in the temp directory.
Analyst context for executives and security teams
This analytic highlights a Windows detection opportunity around msiexec.exe, the legitimate Microsoft Installer process. The business issue is not that msiexec exists, but that installer activity can create unexpected child processes or load custom action DLLs from temporary locations. For leaders, this matters because software installation paths often sit at the intersection of endpoint control, change management, SOC visibility, and incident response triage.
Executive priority
Prioritize validation where Windows endpoints are important to business operations and where unauthorized software execution would create operational, compliance, or response risk. Security leaders should ask whether the organization can distinguish normal software deployment activity from anomalous msiexec-driven process creation, and whether endpoint telemetry is retained well enough to support investigation after the fact.
Technical view
SOC and detection teams should validate visibility into msiexec.exe process execution, child process creation, command-line context, file paths, and DLL activity, especially where custom action DLLs or unexpected binaries appear in temporary directories. Because no official detection logic is provided, teams should treat AN0940 as a detection concept requiring local baselining of legitimate installer behavior, software deployment tooling, and administrator activity on Windows systems.
Likely telemetry
- Windows process creation events for msiexec.exe and child processes
- Command-line arguments associated with installer execution
- Parent-child process relationships involving msiexec.exe
- File path evidence for binaries or DLLs executed from temporary directories
- Endpoint detection or host logs showing custom action DLL activity
Detection direction
- Baseline normal msiexec.exe behavior from approved software deployment, patching, and administrative workflows.
- Alert or hunt for msiexec.exe spawning unexpected binaries, especially from temporary directories.
- Review custom action DLL activity where path, signer, source, or timing is inconsistent with approved installation activity.
- Tune for known enterprise software installers to reduce false positives while preserving visibility into unusual child processes.
- Correlate endpoint observations with change tickets or deployment windows before escalating as suspicious.
Mitigation priorities
- Ensure Windows endpoint telemetry captures process creation, command line, parent-child relationships, and relevant file path details.
- Maintain approved software deployment and change-management records so SOC teams can compare installer activity against expected business operations.
- Restrict or govern unauthorized software installation where operationally feasible.
- Use application control or execution policy approaches where appropriate to reduce unapproved binaries or DLLs running from temporary paths.
- Document investigation procedures for anomalous msiexec.exe activity so incident responders can quickly separate legitimate installs from suspicious execution.
Analyst notes and limits
AN0940 is a detection analytic, not a technique description. Its value is as a coverage test: can defenders see msiexec.exe causing anomalous process creation, and can they explain whether that activity matches approved installation behavior? The absence of relationship context means this take should not infer specific adversaries, campaigns, tactics, or techniques beyond the supplied analytic text.
Official detection logic, tactic mapping, relationships, and examples are not supplied. Local baselines, endpoint logging configuration, software deployment practices, and approved installer behavior are required to make this analytic actionable.
Analytic 0940
Detection of msiexec.exe running installer packages that result in anomalous process creation. Look for unexpected binaries executed by msiexec or custom action DLLs in the temp directory.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7ce2ff62a606… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0940Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.