{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/msi/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["command and control","rmm","msi","windows","remote access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies a suspicious sequence of events where an MSI installer is executed, followed by the launch of remote management software (RMM) such as ScreenConnect, Syncro, or VNC. Attackers may leverage this technique to gain unauthorized access to systems by first installing malicious software via an MSI package, and then using the RMM software to establish a remote connection. The rule specifically looks for msiexec.exe being run with an install argument (/i) followed by the execution of known RMM tools within a short timeframe. This behavior is often indicative of malicious actors attempting to establish persistent remote access to compromised machines. The detection is designed for Windows environments and covers a range of data sources including Elastic Defend, Sysmon, SentinelOne, Microsoft Defender XDR, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., social engineering, compromised website, or existing malware).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious MSI installer to the victim machine. This can be done through phishing attachments or drive-by downloads.\u003c/li\u003e\n\u003cli\u003eThe user executes the MSI installer (msiexec.exe) with an installation argument (/i or -i). The parent process is typically explorer.exe or sihost.exe, indicating user-initiated installation.\u003c/li\u003e\n\u003cli\u003eThe MSI installer executes, potentially installing malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eWithin one minute of the MSI installation, a remote management software (RMM) client is launched, such as ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, or winvnc.exe.\u003c/li\u003e\n\u003cli\u003eThe RMM client attempts to establish an outbound connection to a remote server controlled by the attacker, often using pre-configured access keys.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system via the RMM client. In the case of ScreenConnect, the attacker may use a guest link with a known session key.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration, lateral movement, or installing additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain persistent remote access to compromised systems. This can lead to data theft, financial fraud, or disruption of services. Depending on the scope of the initial access, the attacker may be able to move laterally within the network, compromising additional systems. The use of RMM software can mask malicious activity as legitimate remote support, making detection more difficult.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Security Event Logs to capture the execution of msiexec.exe and RMM tools.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Remote Management Access Launch After MSI Install\u0026rdquo; Sigma rule to your SIEM and tune the timeframe (maxspan) to suit your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the source of the MSI file and the destination of the RMM connection.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unauthorized RMM software on your network based on process name, as identified in the rule (ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, winvnc.exe).\u003c/li\u003e\n\u003cli\u003eMonitor network connections for RMM software connecting to unusual or external IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-after-msi/","summary":"Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect, potentially indicating abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.","title":"Remote Management Access Launch After MSI Install","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-after-msi/"}],"language":"en","title":"CraftedSignal Threat Feed — Msi","version":"https://jsonfeed.org/version/1.1"}