Attack Chain

1. An attacker gains initial access through various means, such as phishing or exploiting a software vulnerability.
2. The attacker leverages msiexec.exe, a legitimate Windows utility, to download a malicious MSI package from a remote HTTP or HTTPS server.
3. The command line includes a URL pointing to a malicious MSI file hosted on a compromised or attacker-controlled server.
4. msiexec.exe downloads the MSI package to the victim’s machine.
5. The MSI package is executed, potentially installing malware, creating new files, or modifying system settings.
6. The installed malware establishes persistence through registry keys or scheduled tasks.
7. The malware initiates command and control (C2) communication to receive further instructions.
8. The attacker performs actions on the objective such as data exfiltration or lateral movement within the compromised network.

Impact

Successful exploitation can lead to unauthorized code execution, system compromise, or further malware deployment within the network. The use of msiexec.exe for remote downloads can bypass traditional security controls, allowing attackers to deliver and execute malicious payloads undetected. The dfirreport.com article references data exfiltration following exploitation via MSIExec.

Recommendation

• Enable Sysmon process-creation logging to activate the rules below, capturing command-line details (Sysmon EventID 1).
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
• Monitor network traffic for connections originating from msiexec.exe to external HTTP/HTTPS URLs (Network Visibility Module Flow Data).
• Investigate any instances of msiexec.exe executing with command-line arguments containing HTTP or HTTPS URLs.
• Filter false positives by destination or parent process as needed based on your environment.