Remote Management Access Launch After MSI Install

This detection identifies a suspicious sequence of events where an MSI installer is executed, followed by the launch of remote management software (RMM) such as ScreenConnect, Syncro, or VNC. Attackers may leverage this technique to gain unauthorized access to systems by first installing malicious software via an MSI package, and then using the RMM software to establish a remote connection. The rule specifically looks for msiexec.exe being run with an install argument (/i) followed by the execution of known RMM tools within a short timeframe. This behavior is often indicative of malicious actors attempting to establish persistent remote access to compromised machines. The detection is designed for Windows environments and covers a range of data sources including Elastic Defend, Sysmon, SentinelOne, Microsoft Defender XDR, and Crowdstrike.

Attack Chain

1. An attacker gains initial access to a system through various means (e.g., social engineering, compromised website, or existing malware).
2. The attacker deploys a malicious MSI installer to the victim machine. This can be done through phishing attachments or drive-by downloads.
3. The user executes the MSI installer (msiexec.exe) with an installation argument (/i or -i). The parent process is typically explorer.exe or sihost.exe, indicating user-initiated installation.
4. The MSI installer executes, potentially installing malware or modifying system settings.
5. Within one minute of the MSI installation, a remote management software (RMM) client is launched, such as ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, or winvnc.exe.
6. The RMM client attempts to establish an outbound connection to a remote server controlled by the attacker, often using pre-configured access keys.
7. The attacker gains remote access to the compromised system via the RMM client. In the case of ScreenConnect, the attacker may use a guest link with a known session key.
8. The attacker performs malicious activities, such as data exfiltration, lateral movement, or installing additional malware.

Impact

Successful exploitation allows attackers to gain persistent remote access to compromised systems. This can lead to data theft, financial fraud, or disruption of services. Depending on the scope of the initial access, the attacker may be able to move laterally within the network, compromising additional systems. The use of RMM software can mask malicious activity as legitimate remote support, making detection more difficult.

Recommendation

• Enable process creation logging via Sysmon or Windows Security Event Logs to capture the execution of msiexec.exe and RMM tools.
• Deploy the “Remote Management Access Launch After MSI Install” Sigma rule to your SIEM and tune the timeframe (maxspan) to suit your environment.
• Investigate any alerts generated by this rule, focusing on the source of the MSI file and the destination of the RMM connection.
• Block the execution of unauthorized RMM software on your network based on process name, as identified in the rule (ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, winvnc.exe).
• Monitor network connections for RMM software connecting to unusual or external IPs.