MsiExec Service Child Process With Network Connection

  1[metadata]
  2creation_date = "2024/09/09"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of an MsiExec service child process followed by network or dns lookup activity. Adversaries may
 11abuse Windows Installers for initial access and delivery of malware.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "logs-endpoint.events.network-*",
 17    "logs-windows.sysmon_operational-*",
 18    "logs-sentinel_one_cloud_funnel.*",
 19]
 20language = "eql"
 21license = "Elastic License v2"
 22name = "MsiExec Service Child Process With Network Connection"
 23note = """## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating MsiExec Service Child Process With Network Connection
 29
 30MsiExec is a Windows utility for installing, maintaining, and removing software. Adversaries exploit it to execute malicious payloads by disguising them as legitimate installations. The detection rule identifies suspicious child processes spawned by MsiExec that initiate network activity, which is atypical for standard installations. By focusing on unusual executable paths and network connections, the rule helps uncover potential misuse indicative of malware delivery or initial access attempts.
 31
 32### Possible investigation steps
 33
 34- Review the process tree to identify the parent and child processes of the suspicious MsiExec activity, focusing on the process.entity_id and process.parent.name fields to understand the execution flow.
 35- Examine the process.executable path to determine if it deviates from typical installation paths, as specified in the query, to assess the likelihood of malicious activity.
 36- Analyze the network or DNS activity associated with the process by reviewing the event.category field for network or dns events, and correlate these with the process.name to identify any unusual or unauthorized connections.
 37- Check the process.args for any unusual or suspicious command-line arguments that might indicate an attempt to execute malicious payloads or scripts.
 38- Investigate the host's recent activity and security logs to identify any other indicators of compromise or related suspicious behavior, leveraging data sources like Elastic Defend, Sysmon, or SentinelOne as mentioned in the rule's tags.
 39- Assess the risk and impact of the detected activity by considering the context of the alert, such as the host's role in the network and any potential data exposure or system compromise.
 40
 41### False positive analysis
 42
 43- Legitimate software installations or updates may trigger the rule if they involve network activity. Users can create exceptions for known software update processes that are verified as safe.
 44- Custom enterprise applications that use MsiExec for deployment and require network access might be flagged. Identify these applications and exclude their specific executable paths from the rule.
 45- Automated deployment tools that utilize MsiExec and perform network operations could be misidentified. Review these tools and whitelist their processes to prevent false alerts.
 46- Security software or system management tools that leverage MsiExec for legitimate purposes may cause false positives. Confirm these tools' activities and add them to an exclusion list if necessary.
 47- Regularly review and update the exclusion list to ensure it reflects the current environment and any new legitimate software that may interact with MsiExec.
 48
 49### Response and remediation
 50
 51- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement.
 52- Terminate the suspicious child process spawned by MsiExec to halt any ongoing malicious operations.
 53- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or remnants.
 54- Review and analyze the process execution and network activity logs to identify any additional indicators of compromise (IOCs) and assess the scope of the intrusion.
 55- Reset credentials and review access permissions for any accounts that may have been compromised or used during the attack.
 56- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 57- Implement enhanced monitoring and detection rules to identify similar threats in the future, focusing on unusual MsiExec activity and network connections."""
 58risk_score = 47
 59rule_id = "65432f4a-e716-4cc1-ab11-931c4966da2d"
 60severity = "medium"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Windows",
 64    "Use Case: Threat Detection",
 65    "Tactic: Defense Evasion",
 66    "Data Source: Elastic Defend",
 67    "Data Source: Sysmon",
 68    "Data Source: SentinelOne",
 69    "Resources: Investigation Guide",
 70]
 71type = "eql"
 72
 73query = '''
 74sequence by process.entity_id with maxspan=1m
 75 [process where host.os.type == "windows" and event.type : "start" and
 76  process.parent.name : "msiexec.exe" and process.parent.args : "/v" and
 77  not process.executable :
 78        ("?:\\Windows\\System32\\msiexec.exe",
 79         "?:\\Windows\\sysWOW64\\msiexec.exe",
 80         "?:\\Windows\\system32\\srtasks.exe",
 81         "?:\\Windows\\syswow64\\srtasks.exe",
 82         "?:\\Windows\\sys*\\taskkill.exe",
 83         "?:\\Program Files\\*.exe",
 84         "?:\\Program Files (x86)\\*.exe",
 85         "?:\\Windows\\Installer\\MSI*.tmp",
 86         "?:\\Windows\\Microsoft.NET\\Framework*\\RegSvcs.exe") and
 87 not (process.name : ("rundll32.exe", "regsvr32.exe") and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))]
 88[any where host.os.type == "windows" and event.category in ("network", "dns") and process.name != null]
 89'''
 90
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94[[rule.threat.technique]]
 95id = "T1218"
 96name = "System Binary Proxy Execution"
 97reference = "https://attack.mitre.org/techniques/T1218/"
 98[[rule.threat.technique.subtechnique]]
 99id = "T1218.007"
100name = "Msiexec"
101reference = "https://attack.mitre.org/techniques/T1218/007/"
102
103
104
105[rule.threat.tactic]
106id = "TA0005"
107name = "Defense Evasion"
108reference = "https://attack.mitre.org/tactics/TA0005/"