Remote Management Access Launch After MSI Install
Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect. This behavior may indicate abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/03/18"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
4maturity = "production"
5updated_date = "2026/05/04"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect.
11This behavior may indicate abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.
12"""
13from = "now-9m"
14index = [
15 "endgame-*",
16 "logs-crowdstrike.fdr*",
17 "logs-endpoint.events.process-*",
18 "logs-m365_defender.event-*",
19 "logs-sentinel_one_cloud_funnel.*",
20 "logs-system.security*",
21 "logs-windows.sysmon_operational-*",
22 "winlogbeat-*",
23]
24language = "eql"
25license = "Elastic License v2"
26name = "Remote Management Access Launch After MSI Install"
27note = """## Triage and analysis
28
29### Investigating Remote Management Access Launch After MSI Install
30
31This rule fires when the same host runs msiexec with an install argument (/i) and within one minute starts a pre-configured RMM software.
32
33### Possible investigation steps
34
35- Confirm the sequence on the host: first event should be msiexec.exe with process.args containing "/i"; second should be a remote management software.
36- Review the source of the MSI file using file events.
37- Check whether use of RMM software is approved for this host.
38- Check network events to validate which remote host the RMM software connects to.
39- Correlate with other alerts for the same host (initial access, persistence, C2).
40
41### False positive analysis
42
43- Legitimate IT/MSP deployment of RMM for support.
44
45### Response and remediation
46
47- If unauthorized RMM use or abuse is confirmed: isolate the host, terminate the ScreenConnect client, remove or block the installation, and investigate how the MSI was delivered and who operates the relay.
48"""
49
50setup = """## Setup
51
52This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
53
54Setup instructions: https://ela.st/install-elastic-defend
55
56### Additional data sources
57
58This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
59
60- [CrowdStrike](https://ela.st/crowdstrike-integration)
61- [Microsoft Defender XDR](https://ela.st/m365-defender)
62- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
63- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
64- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
65"""
66
67references = ["https://attack.mitre.org/techniques/T1219/"]
68risk_score = 47
69rule_id = "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d"
70severity = "medium"
71tags = [
72 "Domain: Endpoint",
73 "OS: Windows",
74 "Use Case: Threat Detection",
75 "Tactic: Command and Control",
76 "Resources: Investigation Guide",
77 "Data Source: Elastic Defend",
78 "Data Source: Sysmon",
79 "Data Source: SentinelOne",
80 "Data Source: Microsoft Defender XDR",
81 "Data Source: Crowdstrike",
82 "Data Source: Windows Security Event Logs",
83 "Data Source: Elastic Endgame"
84]
85timestamp_override = "event.ingested"
86type = "eql"
87
88query = '''
89sequence by host.id with maxspan=1m
90 [process where host.os.type == "windows" and event.type == "start" and process.name : "msiexec.exe" and
91 process.args : ("/i*", "-i*") and process.parent.name : ("explorer.exe", "sihost.exe")]
92 [process where host.os.type == "windows" and event.type == "start" and
93 (
94 (process.name : "ScreenConnect.ClientService.exe" and process.command_line : "*?e=Access&y=Guest&h*&k=*") or
95 (process.name : "Syncro.Installer.exe" and process.args : "--config-json" and process.args : "--key") or
96 process.name : ("tvnserver.exe", "winvnc.exe")
97 )]
98'''
99
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1219"
104name = "Remote Access Tools"
105reference = "https://attack.mitre.org/techniques/T1219/"
106[[rule.threat.technique.subtechnique]]
107id = "T1219.002"
108name = "Remote Desktop Software"
109reference = "https://attack.mitre.org/techniques/T1219/002/"
110
111[rule.threat.tactic]
112id = "TA0011"
113name = "Command and Control"
114reference = "https://attack.mitre.org/tactics/TA0011/"
Triage and analysis
Investigating Remote Management Access Launch After MSI Install
This rule fires when the same host runs msiexec with an install argument (/i) and within one minute starts a pre-configured RMM software.
Possible investigation steps
- Confirm the sequence on the host: first event should be msiexec.exe with process.args containing "/i"; second should be a remote management software.
- Review the source of the MSI file using file events.
- Check whether use of RMM software is approved for this host.
- Check network events to validate which remote host the RMM software connects to.
- Correlate with other alerts for the same host (initial access, persistence, C2).
False positive analysis
- Legitimate IT/MSP deployment of RMM for support.
Response and remediation
- If unauthorized RMM use or abuse is confirmed: isolate the host, terminate the ScreenConnect client, remove or block the installation, and investigate how the MSI was delivered and who operates the relay.
References
Related rules
- Attempt to Establish VScode Remote Tunnel
- Multiple Remote Management Tool Vendors on Same Host
- Potential File Transfer via Certreq
- Potential File Transfer via Curl for Windows
- Potential Protocol Tunneling via Cloudflared