Suspicious MSIExec Remote Download

The detection focuses on identifying instances where msiexec.exe is used with an HTTP or HTTPS URL in the command line. This behavior is indicative of an attempt to download and execute potentially malicious software from a remote server. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. The activity is often used to bypass traditional security controls.

Attack Chain

1. An attacker gains initial access through various means, such as phishing or exploiting a software vulnerability.
2. The attacker leverages msiexec.exe, a legitimate Windows utility, to download a malicious MSI package from a remote HTTP or HTTPS server.
3. The command line includes a URL pointing to a malicious MSI file hosted on a compromised or attacker-controlled server.
4. msiexec.exe downloads the MSI package to the victim’s machine.
5. The MSI package is executed, potentially installing malware, creating new files, or modifying system settings.
6. The installed malware establishes persistence through registry keys or scheduled tasks.
7. The malware initiates command and control (C2) communication to receive further instructions.
8. The attacker performs actions on the objective such as data exfiltration or lateral movement within the compromised network.

Impact

Successful exploitation can lead to unauthorized code execution, system compromise, or further malware deployment within the network. The use of msiexec.exe for remote downloads can bypass traditional security controls, allowing attackers to deliver and execute malicious payloads undetected. The dfirreport.com article references data exfiltration following exploitation via MSIExec.

Recommendation

• Enable Sysmon process-creation logging to activate the rules below, capturing command-line details (Sysmon EventID 1).
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
• Monitor network traffic for connections originating from msiexec.exe to external HTTP/HTTPS URLs (Network Visibility Module Flow Data).
• Investigate any instances of msiexec.exe executing with command-line arguments containing HTTP or HTTPS URLs.
• Filter false positives by destination or parent process as needed based on your environment.