Msiexec.EXE Initiated Network Connection Over HTTP
Detects an initiated network connection by "Msiexec.exe" over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.
Sigma rule (View on GitHub)
1title: Msiexec.EXE Initiated Network Connection Over HTTP
2id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f
3status: test
4description: |
5 Detects an initiated network connection by "Msiexec.exe" over port 80 or 443.
6 Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.
7references:
8 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
10author: frack113
11date: 2022/01/16
12modified: 2024/02/01
13tags:
14 - attack.defense_evasion
15 - attack.t1218.007
16logsource:
17 category: network_connection
18 product: windows
19detection:
20 selection:
21 Initiated: 'true'
22 Image|endswith: '\msiexec.exe'
23 DestinationPort:
24 - 80
25 - 443
26 condition: selection
27falsepositives:
28 - Some rare installers were seen communicating with external servers for additional information. While its a very rare occurrence in some environments an initial baseline might be required.
29level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Suspicious MsiExec Embedding Parent
- PowerShell WMI Win32_Product Install MSI
- MsiExec Web Install
- BITS Transfer Job Download From File Sharing Domains
- Bypass UAC Using SilentCleanup Task