Potential Remote File Execution via MSIEXEC

Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/09/28"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may
 11abuse msiexec.exe to launch local or network accessible MSI files.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential Remote File Execution via MSIEXEC"
 18risk_score = 21
 19rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada"
 20severity = "low"
 21tags = [
 22    "Domain: Endpoint",
 23    "OS: Windows",
 24    "Use Case: Threat Detection",
 25    "Tactic: Initial Access",
 26    "Tactic: Defense Evasion",
 27    "Data Source: Elastic Defend",
 28    "Resources: Investigation Guide",
 29]
 30type = "eql"
 31
 32query = '''
 33sequence with maxspan=1m
 34 [process where host.os.type == "windows" and event.action == "start" and
 35    process.name : "msiexec.exe" and process.args : "/V"] by process.entity_id
 36 [network where host.os.type == "windows" and process.name : "msiexec.exe" and
 37    event.action == "connection_attempted"] by process.entity_id
 38 [process where host.os.type == "windows" and event.action == "start" and
 39  process.parent.name : "msiexec.exe" and user.id : ("S-1-5-21-*", "S-1-5-12-1-*") and
 40  not process.executable : ("?:\\Windows\\SysWOW64\\msiexec.exe",
 41                            "?:\\Windows\\System32\\msiexec.exe",
 42                            "?:\\Windows\\System32\\srtasks.exe",
 43                            "?:\\Windows\\SysWOW64\\srtasks.exe",
 44                            "?:\\Windows\\System32\\taskkill.exe",
 45                            "?:\\Windows\\Installer\\MSI*.tmp",
 46                            "?:\\Program Files\\*.exe",
 47                            "?:\\Program Files (x86)\\*.exe",
 48                            "?:\\Windows\\System32\\ie4uinit.exe",
 49                            "?:\\Windows\\SysWOW64\\ie4uinit.exe",
 50                            "?:\\Windows\\System32\\sc.exe",
 51                            "?:\\Windows\\system32\\Wbem\\mofcomp.exe",
 52                            "?:\\Windows\\twain_32\\fjscan32\\SOP\\crtdmprc.exe",
 53                            "?:\\Windows\\SysWOW64\\taskkill.exe",
 54                            "?:\\Windows\\SysWOW64\\schtasks.exe",
 55                            "?:\\Windows\\system32\\schtasks.exe",
 56                            "?:\\Windows\\System32\\sdbinst.exe") and
 57  not (process.code_signature.subject_name == "Citrix Systems, Inc." and process.code_signature.trusted == true) and
 58  not (process.name : ("regsvr32.exe", "powershell.exe", "rundll32.exe", "wscript.exe") and
 59       process.Ext.token.integrity_level_name == "high" and
 60       process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and
 61  not (process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and process.code_signature.trusted == true) and
 62  not (process.name : "rundll32.exe" and process.args : "printui.dll,PrintUIEntry")
 63  ] by process.parent.entity_id
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating Potential Remote File Execution via MSIEXEC
 71
 72MSIEXEC, the Windows Installer, facilitates software installation, modification, and removal. Adversaries exploit it to execute remote MSI files, bypassing security controls. The detection rule identifies suspicious MSIEXEC activity by monitoring process starts, network connections, and child processes, filtering out known benign signatures and paths, thus highlighting potential misuse for initial access or defense evasion.
 73
 74### Possible investigation steps
 75
 76- Review the process start event for msiexec.exe to identify the command-line arguments used, focusing on the presence of the "/V" flag, which indicates a remote installation attempt.
 77- Examine the network connection attempts associated with msiexec.exe to determine the remote IP addresses or domains being contacted, and assess their reputation or any known associations with malicious activity.
 78- Investigate the child processes spawned by msiexec.exe, especially those not matching known benign executables or paths, to identify any suspicious or unexpected activity.
 79- Check the user ID associated with the msiexec.exe process to verify if it aligns with expected user behavior or if it indicates potential compromise, especially focusing on user IDs like "S-1-5-21-*" or "S-1-5-12-1-*".
 80- Analyze the code signature of any child processes to ensure they are trusted and expected, paying particular attention to any unsigned or untrusted executables.
 81- Correlate the alert with any recent phishing attempts or suspicious emails received by the user, as the MITRE ATT&CK technique T1566 (Phishing) is associated with this rule.
 82
 83### False positive analysis
 84
 85- Legitimate software installations using msiexec.exe may trigger the rule. To manage this, create exceptions for known software update processes that use msiexec.exe with trusted code signatures.
 86- System maintenance tasks that involve msiexec.exe, such as Windows updates or system repairs, can be excluded by identifying and allowing specific system paths and executables involved in these processes.
 87- Enterprise software deployment tools that utilize msiexec.exe for remote installations might cause false positives. Exclude these by verifying the code signature and adding exceptions for trusted deployment tools.
 88- Administrative scripts or automation tools that invoke msiexec.exe for legitimate purposes should be reviewed and, if verified as safe, excluded based on their execution context and code signature.
 89- Network monitoring tools or security software that simulate msiexec.exe activity for testing or monitoring purposes can be excluded by identifying their specific signatures and paths.
 90
 91### Response and remediation
 92
 93- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. This can be done by disabling network interfaces or moving the system to a quarantine VLAN.
 94- Terminate the msiexec.exe process if it is still running to stop any ongoing malicious activity. Use task management tools or scripts to ensure the process is completely stopped.
 95- Conduct a thorough review of the system for any unauthorized changes or installations. Check for newly installed software or modifications to system files that could indicate further compromise.
 96- Restore the system from a known good backup if unauthorized changes are detected and cannot be easily reversed. Ensure the backup is clean and free from any malicious alterations.
 97- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. This includes applying all relevant Windows updates and security patches.
 98- Enhance monitoring and logging on the affected system and network to detect any similar future attempts. Ensure that all relevant security events are being captured and analyzed.
 99- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. Provide them with all relevant logs and findings for a comprehensive analysis."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1566"
106name = "Phishing"
107reference = "https://attack.mitre.org/techniques/T1566/"
108[[rule.threat.technique.subtechnique]]
109id = "T1566.002"
110name = "Spearphishing Link"
111reference = "https://attack.mitre.org/techniques/T1566/002/"
112
113
114
115[rule.threat.tactic]
116id = "TA0001"
117name = "Initial Access"
118reference = "https://attack.mitre.org/tactics/TA0001/"
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1218"
123name = "System Binary Proxy Execution"
124reference = "https://attack.mitre.org/techniques/T1218/"
125[[rule.threat.technique.subtechnique]]
126id = "T1218.007"
127name = "Msiexec"
128reference = "https://attack.mitre.org/techniques/T1218/007/"
129
130
131
132[rule.threat.tactic]
133id = "TA0005"
134name = "Defense Evasion"
135reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Potential Remote File Execution via MSIEXEC

MSIEXEC, the Windows Installer, facilitates software installation, modification, and removal. Adversaries exploit it to execute remote MSI files, bypassing security controls. The detection rule identifies suspicious MSIEXEC activity by monitoring process starts, network connections, and child processes, filtering out known benign signatures and paths, thus highlighting potential misuse for initial access or defense evasion.

Possible investigation steps

  • Review the process start event for msiexec.exe to identify the command-line arguments used, focusing on the presence of the "/V" flag, which indicates a remote installation attempt.
  • Examine the network connection attempts associated with msiexec.exe to determine the remote IP addresses or domains being contacted, and assess their reputation or any known associations with malicious activity.
  • Investigate the child processes spawned by msiexec.exe, especially those not matching known benign executables or paths, to identify any suspicious or unexpected activity.
  • Check the user ID associated with the msiexec.exe process to verify if it aligns with expected user behavior or if it indicates potential compromise, especially focusing on user IDs like "S-1-5-21-" or "S-1-5-12-1-".
  • Analyze the code signature of any child processes to ensure they are trusted and expected, paying particular attention to any unsigned or untrusted executables.
  • Correlate the alert with any recent phishing attempts or suspicious emails received by the user, as the MITRE ATT&CK technique T1566 (Phishing) is associated with this rule.

False positive analysis

  • Legitimate software installations using msiexec.exe may trigger the rule. To manage this, create exceptions for known software update processes that use msiexec.exe with trusted code signatures.
  • System maintenance tasks that involve msiexec.exe, such as Windows updates or system repairs, can be excluded by identifying and allowing specific system paths and executables involved in these processes.
  • Enterprise software deployment tools that utilize msiexec.exe for remote installations might cause false positives. Exclude these by verifying the code signature and adding exceptions for trusted deployment tools.
  • Administrative scripts or automation tools that invoke msiexec.exe for legitimate purposes should be reviewed and, if verified as safe, excluded based on their execution context and code signature.
  • Network monitoring tools or security software that simulate msiexec.exe activity for testing or monitoring purposes can be excluded by identifying their specific signatures and paths.

Response and remediation

  • Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. This can be done by disabling network interfaces or moving the system to a quarantine VLAN.
  • Terminate the msiexec.exe process if it is still running to stop any ongoing malicious activity. Use task management tools or scripts to ensure the process is completely stopped.
  • Conduct a thorough review of the system for any unauthorized changes or installations. Check for newly installed software or modifications to system files that could indicate further compromise.
  • Restore the system from a known good backup if unauthorized changes are detected and cannot be easily reversed. Ensure the backup is clean and free from any malicious alterations.
  • Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. This includes applying all relevant Windows updates and security patches.
  • Enhance monitoring and logging on the affected system and network to detect any similar future attempts. Ensure that all relevant security events are being captured and analyzed.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. Provide them with all relevant logs and findings for a comprehensive analysis.

Related rules

to-top