System Binary Proxy Execution: Msiexec

In the course, you will learn how a malicious user can obfuscate some of their payload actions through downloaded DLL files by utilizing the built in rundll32.exe. By using rundll32, an attacker can make their activity look like a normal Windows system binary process being executed under the rundll32.

Course Content

Raspberry Robin Lab


What is Technique T1218.007?
Attack, Detect and Mitigate


What is Technique T1218.007?
Course Description

*text in italic*

This course will cover the technique:

> [T1218.007]( System Binary Proxy Execution: Msiexec. System binary proxy execution is a means of obfuscating intentionally malicious activity and utilizing system-level permissions to carry out an exploit or payload.

>As you may be aware, Msiexec is a common process on a windows operating system. This course will help you identify illegitimate use cases for Msiexec and show exactly how it pertains to this raspberry robin attack cycle. For the sake of Raspberry Robin, the MSI package was automatically downloaded from the autorun file that was installed from the USB device. The MSI package plays a critical role in establishing the C2 channel the threat actor will use to execute remote commands.

Learn how to detect and mitigate these techniques to protect your organization from this type of attack. Apply what you learn and get the hands-on skills you need in Cybrary's MITRE ATT&CK Framework courses aligned to tactics and techniques used by threat actors.

This course is part of a Career Path:
No items found.

Instructed by

Master Instructor
Matthew Mullins

Matt has led multiple Red Team engagements, ranging from a few weeks to a year and covering multiple security domains. Outside of Red Teaming, Matt is also a seasoned penetration tester with interests in: AppSec, OSINT, Hardware, Wifi, Social Engineering, and Physical Security. Matt has a Master's degree in Information Assurance and an exhaustive number of certifications ranging from frameworks, management, and hands-on hacking. Matt is a Technical SME at Cybrary, focusing on Adversarial Emulation and Red Teaming for course content.

Owen Dubiel

Owen is certified in the GIAC GSEC, CompTIA CySA+, and various other vendor-related certifications. He works both as a technical security engineer and as an SME architect instructor in his spare time. Spreading the word of cyber security is a passion of his. Owen lives in Southeast Michigan with his beautiful wife, daughter, and his dog, Thor. In his free time, Owen enjoys watching sports and movies, and spending time with his family.

Cybrary Logo
Certification Body
Certificate of Completion

Complete this entire course to earn a System Binary Proxy Execution: Msiexec Certificate of Completion