MsiExec Service Child Process With Network Connection
Identifies the execution of an MsiExec service child process followed by network or dns lookup activity. Adversaries may abuse Windows Installers for initial access and delivery of malware.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/09"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of an MsiExec service child process followed by network or dns lookup activity. Adversaries may
13abuse Windows Installers for initial access and delivery of malware.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "MsiExec Service Child Process With Network Connection"
20risk_score = 47
21rule_id = "65432f4a-e716-4cc1-ab11-931c4966da2d"
22severity = "medium"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Defense Evasion",
28 "Data Source: Elastic Defend",
29 "Data Source: Sysmon",
30 "Data Source: SentinelOne",
31]
32type = "eql"
33
34query = '''
35sequence by process.entity_id with maxspan=1m
36 [process where host.os.type == "windows" and event.type : "start" and
37 process.parent.name : "msiexec.exe" and process.parent.args : "/v" and
38 not process.executable :
39 ("?:\\Windows\\System32\\msiexec.exe",
40 "?:\\Windows\\sysWOW64\\msiexec.exe",
41 "?:\\Windows\\system32\\srtasks.exe",
42 "?:\\Windows\\syswow64\\srtasks.exe",
43 "?:\\Windows\\sys*\\taskkill.exe",
44 "?:\\Program Files\\*.exe",
45 "?:\\Program Files (x86)\\*.exe",
46 "?:\\Windows\\Installer\\MSI*.tmp",
47 "?:\\Windows\\Microsoft.NET\\Framework*\\RegSvcs.exe") and
48 not (process.name : ("rundll32.exe", "regsvr32.exe") and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))]
49[any where host.os.type == "windows" and event.category in ("network", "dns") and process.name != null]
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1218"
57name = "System Binary Proxy Execution"
58reference = "https://attack.mitre.org/techniques/T1218/"
59[[rule.threat.technique.subtechnique]]
60id = "T1218.007"
61name = "Msiexec"
62reference = "https://attack.mitre.org/techniques/T1218/007/"
63
64
65
66[rule.threat.tactic]
67id = "TA0005"
68name = "Defense Evasion"
69reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate