System Binary Proxy Execution: Msiexec
In the course, you will learn how a malicious user can obfuscate some of their payload actions through downloaded DLL files by utilizing the built in rundll32.exe. By using rundll32, an attacker can make their activity look like a normal Windows system binary process being executed under the rundll32.
Already have an account? Sign In »
Module 1: Introduction
Module 2: What is Technique T1218.007?
2.1Attack, Detect and Mitigate
2.2Raspberry Robin Lab
text in italic### This course will cover the technique:
T1218.007: System Binary Proxy Execution: Msiexec. System binary proxy execution is a means of obfuscating intentionally malicious activity and utilizing system-level permissions to carry out an exploit or payload.
As you may be aware, Msiexec is a common process on a windows operating system. This course will help you identify illegitimate use cases for Msiexec and show exactly how it pertains to this raspberry robin attack cycle. For the sake of Raspberry Robin, the MSI package was automatically downloaded from the autorun file that was installed from the USB device. The MSI package plays a critical role in establishing the C2 channel the threat actor will use to execute remote commands.
Learn how to detect and mitigate these techniques to protect your organization from this type of attack. Apply what you learn and get the hands-on skills you need in Cybrary's MITRE ATT&CK Framework courses aligned to tactics and techniques used by threat actors.
Matthew Mullins
Technical Manager, Red Team
Owen Dubiel
Security Engineer
Complete this entire course to earn a System Binary Proxy Execution: Msiexec Certificate of Completion