I am using a cloud based EDR platform to monitor processes occurring on a client's compromised network. Something I have seen a lot of recently is msiexec.exe called with the option "-Embedding"
C:\Windows\System32\MsiExec.exe -Embedding 35507F61C46FB5B70D1543A9D335C298B
The msiexec documentation (found here) has no mention of this option. Can anyone explain its usage?
You can find some information from Aaron Stebner here: https://learn.microsoft.com/en-us/archive/blogs/astebner/more-info-about-how-msi-custom-actions-work-behind-the-scenes
Here is an extract:
msiexec.exe -Embedding (GUID) - this is the custom action server (indicated by the -Embedding switch)
Custom Action: A custom action is a custom piece of code that runs during installation. They can be in script or binary form - dll, exe, vbscripts, etc... Danger close. With elevated rights they can basically do "anything", but usually they are OK.
msiexec.exe: There will be numerous msiexec.exe processes during the installation of any MSI file, and some MSI files can trigger quite a few of them. This has to do with how many custom actions exist in the MSI and probably a number of other things. There will also always be a client msiexec.exe process running in user context and a server msiexec.exe process running as LocalSystem (unless the server is run silently - then there is no user part to the install). These processes run the actual installation itself.
Technical Tidbit: I believe the msiexec.exe processes remain in the process list for about 10 minutes after the install. This at least used to be normal behavior (things change). Old blog from Heath Stewart on this.
Malware: With regards to this in a malware-sense. The custom action process can certainly be infected, but most often it is not and the anti-virus software could decide to mess with it because of a false positive. System mode custom actions run elevated with temporary administrator rights and can certainly infect the computer with just about anything. Non-elevated MSI files can install trojans and other kinds of malware by launching them on startup and such things. However, elevated custom actions can install drivers and services and all kinds of madness.
Anti-Virus Blues: A common problem for MSI files is that an anti-virus could decide to quarantine an MSI in the super-hidden MSI cache folder: C:\Windows\Installer. This folder is highly protected and should not be accessed by anything, and messing around here typically causes MSI packages that can not be uninstalled (packages are cached to facilitate uninstall, modify and repair). There are some hacks and fixes for such un-uninstallable packages. Additionally, there are other reasons why the MSI source can be missing (with System Restore weirdness being one of my suspected key culprits).
Keys to the City: Having gone well beyond what you actually asked: if you are sure an MSI is infected, I would be hesitant to invoke its uninstaller... I guess that goes without saying. If it runs elevated it has "the keys to the city". Use that Microsoft FixIt tool (found in the linked answer above) or some other approach to wipe the install. Or better yet: rebuild your box I suppose - as if you are not busy enough?
Links:
That's not an option for us.
On NT based OS, MsiExec runs multiple times. Once in the user context and the other as a windows service. There are also other processes depending on custom action impersonation. Embedding is part of the process of how the client (user) side passes off the session to the server (service) side.
