MsiExec Service Child Process With Network Connection

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend Data Source: Sysmon Data Source: SentinelOne  ·
Share on: linkedin copy

Identifies the execution of an MsiExec service child process followed by network or dns lookup activity. Adversaries may abuse Windows Installers for initial access and delivery of malware.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/09/09"
 3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2024/10/15"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of an MsiExec service child process followed by network or dns lookup activity. Adversaries may
13abuse Windows Installers for initial access and delivery of malware.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "MsiExec Service Child Process With Network Connection"
20risk_score = 47
21rule_id = "65432f4a-e716-4cc1-ab11-931c4966da2d"
22severity = "medium"
23tags = [
24    "Domain: Endpoint",
25    "OS: Windows",
26    "Use Case: Threat Detection",
27    "Tactic: Defense Evasion",
28    "Data Source: Elastic Defend",
29    "Data Source: Sysmon",
30    "Data Source: SentinelOne",
31]
32type = "eql"
33
34query = '''
35sequence by process.entity_id with maxspan=1m
36 [process where host.os.type == "windows" and event.type : "start" and
37  process.parent.name : "msiexec.exe" and process.parent.args : "/v" and
38  not process.executable :
39        ("?:\\Windows\\System32\\msiexec.exe",
40         "?:\\Windows\\sysWOW64\\msiexec.exe",
41         "?:\\Windows\\system32\\srtasks.exe",
42         "?:\\Windows\\syswow64\\srtasks.exe",
43         "?:\\Windows\\sys*\\taskkill.exe",
44         "?:\\Program Files\\*.exe",
45         "?:\\Program Files (x86)\\*.exe",
46         "?:\\Windows\\Installer\\MSI*.tmp",
47         "?:\\Windows\\Microsoft.NET\\Framework*\\RegSvcs.exe") and
48 not (process.name : ("rundll32.exe", "regsvr32.exe") and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))]
49[any where host.os.type == "windows" and event.category in ("network", "dns") and process.name != null]
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1218"
57name = "System Binary Proxy Execution"
58reference = "https://attack.mitre.org/techniques/T1218/"
59[[rule.threat.technique.subtechnique]]
60id = "T1218.007"
61name = "Msiexec"
62reference = "https://attack.mitre.org/techniques/T1218/007/"
63
64
65
66[rule.threat.tactic]
67id = "TA0005"
68name = "Defense Evasion"
69reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top