Remote Management Access Launch After MSI Install

 1[metadata]
 2creation_date = "2026/03/18"
 3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2026/03/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect.
11This behavior may indicate abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.
12"""
13from = "now-9m"
14index = [
15    "endgame-*",
16    "logs-crowdstrike.fdr*",
17    "logs-endpoint.events.process-*",
18    "logs-m365_defender.event-*",
19    "logs-sentinel_one_cloud_funnel.*",
20    "logs-system.security*",
21    "logs-windows.sysmon_operational-*",
22    "winlogbeat-*",
23]
24language = "eql"
25license = "Elastic License v2"
26name = "Remote Management Access Launch After MSI Install"
27note = """## Triage and analysis
28
29### Investigating Remote Management Access Launch After MSI Install
30
31This rule fires when the same host runs msiexec with an install argument (/i) and within one minute starts a pre-configured RMM software.
32
33### Possible investigation steps
34
35- Confirm the sequence on the host: first event should be msiexec.exe with process.args containing "/i"; second should be a remote management software.
36- Review the source of the MSI file using file events.
37- Check whether use of RMM software is approved for this host.
38- Check network events to validate which remote host the RMM software connects to.
39- Correlate with other alerts for the same host (initial access, persistence, C2).
40
41### False positive analysis
42
43- Legitimate IT/MSP deployment of RMM for support.
44
45### Response and remediation
46
47- If unauthorized RMM use or abuse is confirmed: isolate the host, terminate the ScreenConnect client, remove or block the installation, and investigate how the MSI was delivered and who operates the relay.
48"""
49references = ["https://attack.mitre.org/techniques/T1219/"]
50risk_score = 47
51rule_id = "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d"
52severity = "medium"
53tags = [
54    "Domain: Endpoint",
55    "OS: Windows",
56    "Use Case: Threat Detection",
57    "Tactic: Command and Control",
58    "Resources: Investigation Guide",
59    "Data Source: Elastic Defend",
60    "Data Source: Sysmon",
61    "Data Source: SentinelOne",
62    "Data Source: Microsoft Defender for Endpoint",
63    "Data Source: Crowdstrike", 
64    "Data Source: Windows Security Event Logs", 
65    "Data Source: Elastic Endgame"
66]
67timestamp_override = "event.ingested"
68type = "eql"
69
70query = '''
71sequence by host.id with maxspan=1m
72 [process where host.os.type == "windows" and event.type == "start" and process.name : "msiexec.exe" and process.args : ("/i*", "-i*")]
73 [process where host.os.type == "windows" and event.type == "start" and
74  (
75   (process.name : "ScreenConnect.ClientService.exe" and process.command_line : "*?e=Access&y=Guest&h*&k=*") or
76   (process.name : "Syncro.Installer.exe" and process.args : "--config-json" and process.args : "--key") or 
77    process.name : ("tvnserver.exe", "winvnc.exe") 
78  )
79  ]
80'''
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1219"
86name = "Remote Access Tools"
87reference = "https://attack.mitre.org/techniques/T1219/"
88[[rule.threat.technique.subtechnique]]
89id = "T1219.002"
90name = "Remote Desktop Software"
91reference = "https://attack.mitre.org/techniques/T1219/002/"
92
93[rule.threat.tactic]
94id = "TA0011"
95name = "Command and Control"
96reference = "https://attack.mitre.org/tactics/TA0011/"