msiexec.exe as a LOLBIN

May 29, 2019 in EDR, Living off the land, LOLBins

Update:

As Oddvarmoe pointed out it was described before by Philip Tsukerman. Thanks!

Update #2

It looks that this technique was described even earlier by Stefan Kanthak on his excellent Sentinel page.

Old Post

This is just a quick note. Not sure if anyone pointed it out before, but msiexec.exe can work as a replacement for rundll32.exe.

Recipe:

msiexec.exe -Z <your DLL>
msiexec.exe -Y <your DLL> 

That’s it!

Share this :)

Comments are closed.