Persistence via a Windows Installer

  1[metadata]
  2creation_date = "2024/09/05"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when the Windows installer process msiexec.exe creates a new persistence entry via scheduled tasks or startup.
 11"""
 12false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.registry-*",
 16    "logs-endpoint.events.file-*"
 17]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Persistence via a Windows Installer"
 21risk_score = 47
 22rule_id = "1719ee47-89b8-4407-9d55-6dff2629dd4c"
 23severity = "medium"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Persistence",
 29    "Tactic: Defense Evasion",
 30    "Data Source: Elastic Defend",
 31    "Resources: Investigation Guide",
 32]
 33timestamp_override = "event.ingested"
 34type = "eql"
 35
 36query = '''
 37any where host.os.type == "windows" and
 38 (process.name : "msiexec.exe" or Effective_process.name : "msiexec.exe") and
 39 (
 40  (event.category == "file" and event.action == "creation" and
 41   file.path : ("?:\\Windows\\System32\\Tasks\\*",
 42                "?:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\*",
 43                "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*")) or
 44
 45  (event.category == "registry" and event.action == "modification" and
 46   registry.path : ("H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
 47                    "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
 48                    "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
 49                    "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*"))
 50  )
 51'''
 52note = """## Triage and analysis
 53
 54> **Disclaimer**:
 55> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 56
 57### Investigating Persistence via a Windows Installer
 58
 59Windows Installer, through msiexec.exe, facilitates software installation and configuration. Adversaries exploit this by creating persistence mechanisms, such as scheduled tasks or startup entries, to maintain access. The detection rule identifies suspicious activity by monitoring msiexec.exe for file creation in startup directories or registry modifications linked to auto-run keys, signaling potential persistence tactics.
 60
 61### Possible investigation steps
 62
 63- Review the alert details to identify the specific file path or registry path involved in the suspicious activity, focusing on the paths specified in the query such as "?:\\\\Windows\\\\System32\\\\Tasks\\\\*" or "H*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*".
 64- Check the creation or modification timestamps of the files or registry entries to determine when the suspicious activity occurred and correlate it with other events or logs around the same time.
 65- Investigate the parent process of msiexec.exe to understand how it was executed and whether it was initiated by a legitimate user action or another suspicious process.
 66- Examine the contents of the created or modified files or registry entries to identify any scripts, executables, or commands that may indicate malicious intent.
 67- Look for any associated network activity or connections initiated by msiexec.exe or related processes to identify potential command and control communication.
 68- Cross-reference the involved file or registry paths with known indicators of compromise or threat intelligence sources to assess the risk level and potential threat actor involvement.
 69- If applicable, isolate the affected system and perform a deeper forensic analysis to uncover any additional persistence mechanisms or lateral movement within the network.
 70
 71### False positive analysis
 72
 73- Legitimate software installations or updates may trigger the rule when msiexec.exe creates scheduled tasks or startup entries. Users can create exceptions for known software vendors or specific installation paths to reduce noise.
 74- System administrators might use msiexec.exe for deploying software across the network, which can appear as suspicious activity. To handle this, exclude specific administrative accounts or IP ranges from the rule.
 75- Some enterprise management tools may utilize msiexec.exe for legitimate configuration changes, including registry modifications. Identify and exclude these tools by their process names or associated registry paths.
 76- Automated scripts or deployment tools that rely on msiexec.exe for software management can generate false positives. Consider excluding these scripts or tools by their execution context or associated file paths.
 77- Regularly review and update the exclusion list to ensure it aligns with the current software deployment and management practices within the organization.
 78
 79### Response and remediation
 80
 81- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 82- Terminate the msiexec.exe process if it is confirmed to be involved in creating unauthorized persistence mechanisms.
 83- Remove any scheduled tasks or startup entries created by msiexec.exe that are identified as malicious or unauthorized.
 84- Restore any modified registry keys to their original state if they were altered to establish persistence.
 85- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes.
 86- Review and update security policies to restrict the use of msiexec.exe for non-administrative users, reducing the risk of exploitation.
 87- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1053"
 94name = "Scheduled Task/Job"
 95reference = "https://attack.mitre.org/techniques/T1053/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1053.005"
 98name = "Scheduled Task"
 99reference = "https://attack.mitre.org/techniques/T1053/005/"
100
101[rule.threat.tactic]
102id = "TA0003"
103name = "Persistence"
104reference = "https://attack.mitre.org/tactics/TA0003/"
105
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1218"
111name = "System Binary Proxy Execution"
112reference = "https://attack.mitre.org/techniques/T1218/"
113[[rule.threat.technique.subtechnique]]
114id = "T1218.007"
115name = "Msiexec"
116reference = "https://attack.mitre.org/techniques/T1218/007/"
117
118[rule.threat.tactic]
119id = "TA0005"
120name = "Defense Evasion"
121reference = "https://attack.mitre.org/tactics/TA0005/"